heroui logo

Potential Suspicious BPF Activity - Linux

Sigma Rules

View Source
Summary
This detection rule identifies potentially suspicious activity associated with the use of eBPF (extended Berkeley Packet Filter) on Linux systems. Specifically, it targets warning messages generated by the BPF helper function 'bpf_probe_write_user', which can indicate that an eBPF program may be manipulating kernel memory or performing actions that could lead to user account control breaches or other forms of exploits. Such activities are often associated with persistence methods in malware and can serve to evade defense mechanisms. Administrators should monitor systems for these warning messages as they may reveal unauthorized use of eBPF features. It's crucial to correlate findings with other security events to assess the context and gravity of the alerts raised by this rule.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • Kernel
Created: 2023-01-25