This detection rule identifies the execution of `bpftool` commands which are potentially used for tampering with eBPF programs and maps on Linux systems. The rule focuses on actions that detach eBPF programs or links and modifications to eBPF maps, which can be indicative of attempts to evade defenses or manipulate system behavior at the kernel level. Since eBPF is utilized for enhanced observability and security controls, unauthorized usage can signal malicious intent or runtime manipulations aimed at avoiding detection or disabling critical enforcement mechanisms. The investigation guide included elaborates on various steps to analyze the context around these executions, correlated user activities, captured states, and system logs to discern legitimate administrative actions from malicious activities. Additionally, it discusses common false positives during routine maintenance and highlights best practices for safeguarding eBPF functionality in production environments against potential tampering.