Enable BPF Kprobes Tracing

 1title: Enable BPF Kprobes Tracing
 2id: 7692f583-bd30-4008-8615-75dab3f08a99
 3status: test
 4description: Detects common command used to enable bpf kprobes tracing
 5references:
 6    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
 7    - https://bpftrace.org/
 8    - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/01/25
11tags:
12    - attack.execution
13    - attack.defense_evasion
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'echo 1 >'
21            - '/sys/kernel/debug/tracing/events/kprobes/'
22        CommandLine|contains:
23            - '/myprobe/enable'
24            - '/myretprobe/enable'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

• Offensive BPF: Malicious bpftrace 🤯 · Embrace The Red

  

  This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to unde...

  
  Read More

• bpftrace

  bpftrace High-level tracing language for Linux systems Reference guide Tutorial Community forum Bug tracker IRC Github Example Produce a histogram of time (in nanoseconds) spent in read(2): // read...

  
  Read More

• Kprobe-based Event Tracing — The Linux Kernel documentation

  Kprobe-based Event Tracing Overview These events are similar to tracepoint based events. Instead of Tracepoint, this is based on kprobes (kprobe and kretprobe). So it can probe wherever kprobes can...

  
  Read More

Related rules

• Potential Exploitation Attempt From Office Application
• Potential PowerShell Obfuscation Using Alias Cmdlets
• Potential PowerShell Obfuscation Using Character Join
• PowerShell Base64 Encoded WMI Classes
• Suspicious Digital Signature Of AppX Package