BPF Kprobe

# Rule : BPF and Kprobe Tracing Detection ## Description Detects the use of BPF (Berkeley Packet Filter) and kprobes with potentially unsafe or enabled tracing configurations. These tools are powerful for system monitoring and debugging but can also be misused for malicious purposes, such as extracting sensitive information or manipulating system behavior. - Source: [Sigma rule for detecting BPF and kprobe tracing](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml) ## Detection Logic - Monitors process command lines for specific patterns indicating the use of BPF and kprobes with potentially risky configurations: - `bpftrace` with the `--unsafe` flag, which allows BPF trace scripts to perform potentially unsafe operations. - `kprobes` with `enable`, indicating kprobe tracing is enabled. ## Tags - BPF - Kprobes - Tracing Detection - Process Events - Linux ## Search Query ```kql DeviceProcessEvents | where ProcessCommandLine has_all ("bpftrace", "--unsafe") or ProcessCommandLine has_all ("kprobes", "enable")

Explanation

This query is designed to detect potentially unsafe or enabled tracing configurations using BPF (Berkeley Packet Filter) and kprobes on a Linux system. Here's a simple summary:

Purpose: To identify the use of BPF and kprobes with configurations that could be risky or misused for malicious activities.
Detection Logic:
- It looks for processes that use bpftrace with the --unsafe flag, which allows potentially unsafe operations.
- It also checks for processes that use kprobes with the enable keyword, indicating that kprobe tracing is enabled.
Query: The query searches through process events to find command lines containing these specific patterns.

In essence, this query helps in monitoring and detecting the use of powerful system monitoring tools that could be exploited for harmful purposes.

KQL Search

Query

Explanation

Details

Actions