Detectionhightest

BPFDoor Abnormal Process ID or Lock File Accessed

detects BPFDoor .lock and .pid files access in temporary file storage facility

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Rafal PiaseckiCreated Wed Aug 10Updated Mon Mar 30808146b2-9332-4d78-9416-d7e47012d83dlinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'PATH'
        name:
            - /var/run/aepmonend.pid
            - /var/run/auditd.lock
            - /var/run/cma.lock
            - /var/run/console-kit.pid
            - /var/run/consolekit.pid
            - /var/run/daemon.pid
            - /var/run/hald-addon.pid
            - /var/run/hald-smartd.pid
            - /var/run/haldrund.pid
            - /var/run/hp-health.pid
            - /var/run/hpasmlit.lock
            - /var/run/hpasmlited.pid
            - /var/run/kdevrund.pid
            - /var/run/lldpad.lock
            - /var/run/mcelog.pid
            - /var/run/system.pid
            - /var/run/uvp-srv.pid
            - /var/run/vmtoolagt.pid
            - /var/run/xinetd.lock
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References