Adversaries may use the unsafe bpftrace option to execute arbitrary code with elevated privileges, bypassing standard kernel restrictions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate advanced persistent threats.
Detection Rule
title: BPFtrace Unsafe Option Usage
id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
status: test
description: Detects the usage of the unsafe bpftrace option
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
author: Andreas Hunkeler (@Karneades)
date: 2022-02-11
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'bpftrace'
CommandLine|contains: '--unsafe'
condition: selection
falsepositives:
- Legitimate usage of the unsafe option
level: medium
imProcessCreate
| where TargetProcessName endswith "bpftrace" and TargetProcessCommandLine contains "--unsafe"Scenario: A system administrator is using bpftrace to monitor network traffic for troubleshooting purposes.
Filter/Exclusion: Exclude processes where the command line includes --unsafe and the user is a root or admin with a known troubleshooting task.
Scenario: A scheduled job runs a script that uses bpftrace with the --unsafe flag to collect system performance metrics.
Filter/Exclusion: Exclude processes where the command line includes --unsafe and the process is owned by a service account with a known job schedule.
Scenario: A developer is testing a bpftrace script that includes unsafe options for debugging purposes.
Filter/Exclusion: Exclude processes where the command line includes --unsafe and the user is part of a development team with a documented testing environment.
Scenario: A security tool or EDR (Endpoint Detection and Response) solution uses bpftrace with unsafe options to gather forensic data.
Filter/Exclusion: Exclude processes where the command line includes --unsafe and the process is associated with a known security tool or EDR agent.
Scenario: A DevOps pipeline runs a bpftrace script during a CI/CD build to validate system behavior under load.
Filter/Exclusion: Exclude processes where the command line includes --unsafe and the process is initiated by a CI/CD system with a known build configuration.