This detection rule is designed to identify suspicious access patterns to kernel instrumentation hooks on Linux systems, specifically focusing on directories associated with kprobes and tracefs within debugfs/tracefs. The ability of adversaries to enumerate these paths can signify their preparations for adopting advanced monitoring techniques such as eBPF (extended Berkeley Packet Filter) or kernel tracing, which can be employed for malicious purposes including stealthy monitoring or rootkit functionalities. \n\nThe rule uses EQL (Event Query Language) to trigger alerts when processes, usually benign utilities like 'cat', 'grep', 'ls', and several others, attempt to access paths that allow for the inspection of kernel instrumentation, often signaling preparatory steps for subsequent invasive activities. Notably, the rule emphasizes the need for contextual investigations to differentiate between malicious and benign activities, as legitimate system administrators may access these directories during routine performance diagnostics.\n\nDetailed investigation steps are outlined, which include: reviewing command-line history, identifying user behavior, and checking for evidence of kernel excavation via malicious scripts. False positives are acknowledged, as many administrative tasks may legitimately involve these utilities. Response strategies suggest immediate containment actions, including the isolation of affected systems and eradicating unauthorized kernel instrumentation configurations. Overall, the rule serves as a critical monitoring tool to enhance insight into potential kernel manipulation attempts, adapting the security posture accordingly based on activity patterns observed.