Query Details

Rule : BPF and Kprobe Tracing Detection

BPF Kprobe

Query

DeviceProcessEvents
| where ProcessCommandLine has_all ("bpftrace", "--unsafe") or ProcessCommandLine has_all ("kprobes", "enable")

About this query

Rule : BPF and Kprobe Tracing Detection

Description

Detects the use of BPF (Berkeley Packet Filter) and kprobes with potentially unsafe or enabled tracing configurations. These tools are powerful for system monitoring and debugging but can also be misused for malicious purposes, such as extracting sensitive information or manipulating system behavior.

Detection Logic

  • Monitors process command lines for specific patterns indicating the use of BPF and kprobes with potentially risky configurations:
    • bpftrace with the --unsafe flag, which allows BPF trace scripts to perform potentially unsafe operations.
    • kprobes with enable, indicating kprobe tracing is enabled.

Tags

  • BPF
  • Kprobes
  • Tracing Detection
  • Process Events
  • Linux

Search Query

Explanation

This query is designed to detect potentially unsafe or enabled tracing configurations using BPF (Berkeley Packet Filter) and kprobes on a Linux system. Here's a simple summary:

  1. Purpose: To identify the use of BPF and kprobes with configurations that could be risky or misused for malicious activities.
  2. Detection Logic:
    • It looks for processes that use bpftrace with the --unsafe flag, which allows potentially unsafe operations.
    • It also checks for processes that use kprobes with the enable keyword, indicating that kprobe tracing is enabled.
  3. Query: The query searches through process events to find command lines containing these specific patterns.

In essence, this query helps in monitoring and detecting the use of powerful system monitoring tools that could be exploited for harmful purposes.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinux

Operators

has_allor

Actions

GitHub