Threat: BPFDoor

Abnormal Process ID or Lock File Created

Oct 18, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Execution Threat: BPFDoor Resources: Investigation Guide Data Source: Elastic Defend Data Source: Elastic Endgame ·

Share on:

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

Binary Executed from Shared Memory Directory

May 22, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Execution Threat: BPFDoor Data Source: Elastic Endgame Data Source: Elastic Defend ·

Share on:

Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.

Process Started from Process ID (PID) File

May 22, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Execution Threat: BPFDoor Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Auditd Manager ·

Share on:

Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.