Detectionhightest

Potential Suspicious BPF Activity - Linux

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Red Canary, Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 250fadd880-6af3-4610-b1e5-008dc3a11b8alinux

Log Source

Linux

ProductLinux← raw: linux

Detection Logic

detection:
    selection:
        - 'bpf_probe_write_user'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Rule Metadata

Rule ID

0fadd880-6af3-4610-b1e5-008dc3a11b8a

Status

test

Level

high

Type

Detection

Created

Wed Jan 25

Author

Red Canary, Nasreddine Bencherchali (Nextron Systems)

Path

rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml

Raw Tags

attack.persistenceattack.defense-evasion

View on GitHub