BPFtrace Unsafe Option Usage

calendar Aug 12, 2024 · attack.execution attack.t1059.004  ·
Share on: linkedin copy

Detects the usage of the unsafe bpftrace option

Sigma rule (View on GitHub)

 1title: BPFtrace Unsafe Option Usage
 2id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
 3status: test
 4description: Detects the usage of the unsafe bpftrace option
 5references:
 6    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
 7    - https://bpftrace.org/
 8author: Andreas Hunkeler (@Karneades)
 9date: 2022-02-11
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith: 'bpftrace'
19        CommandLine|contains: '--unsafe'
20    condition: selection
21falsepositives:
22    - Legitimate usage of the unsafe option
23level: medium

References

  • Offensive BPF: Malicious bpftrace 🤯 · Embrace The Red

    This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to unde...


    Read More

  • bpftrace

    High-level tracing language for Linux systems Documentation Tutorial Community forum Bug tracker IRC Github Example Produce a histogram of time (in nanoseconds) spent in read(2): // read.bt file tr...


    Read More

Related rules

to-top