BPFtrace Unsafe Option Usage

 1title: BPFtrace Unsafe Option Usage
 2id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
 3status: test
 4description: Detects the usage of the unsafe bpftrace option
 5references:
 6    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
 7    - https://bpftrace.org/
 8author: Andreas Hunkeler (@Karneades)
 9date: 2022/02/11
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith: 'bpftrace'
19        CommandLine|contains: '--unsafe'
20    condition: selection
21falsepositives:
22    - Legitimate usage of the unsafe option
23level: medium

References

• Offensive BPF: Malicious bpftrace 🤯 · Embrace The Red

  

  This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to unde...

  
  Read More

• bpftrace

  bpftrace High-level tracing language for Linux systems Reference guide Tutorial Community forum Bug tracker IRC Github Example Produce a histogram of time (in nanoseconds) spent in read(2): // read...

  
  Read More

Related rules

• Powershell Execute Batch Script
• Scheduled task executing powershell encoded payload from registry
• MOFComp Execution
• Operator Bloopers Cobalt Strike Commands
• Operator Bloopers Cobalt Strike Modules