The hypothesis is that an adversary is attempting to enable BPF Kprobes tracing to gain visibility into kernel-level system calls and potentially evade detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential kernel-level persistence or monitoring activities that may indicate advanced persistent threats.
Detection Rule
title: Enable BPF Kprobes Tracing
id: 7692f583-bd30-4008-8615-75dab3f08a99
status: test
description: Detects common command used to enable bpf kprobes tracing
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
- https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-25
tags:
- attack.execution
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains|all:
- 'echo 1 >'
- '/sys/kernel/debug/tracing/events/kprobes/'
CommandLine|contains:
- '/myprobe/enable'
- '/myretprobe/enable'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessCommandLine contains "echo 1 >" and TargetProcessCommandLine contains "/sys/kernel/debug/tracing/events/kprobes/") and (TargetProcessCommandLine contains "/myprobe/enable" or TargetProcessCommandLine contains "/myretprobe/enable")Scenario: Systemd unit file configuration
Description: A systemd unit file may include a command to enable BPF kprobes tracing as part of a service initialization or runtime configuration.
Filter/Exclusion: Check for systemd or systemctl in the command line, and exclude commands that appear in known systemd unit files (e.g., /etc/systemd/system/*.service).
Scenario: Kernel module loading with BPF support
Description: Loading a kernel module that uses BPF kprobes may trigger the rule if the module initialization includes tracing commands.
Filter/Exclusion: Filter commands that include insmod, modprobe, or lsmod and check against known BPF-compatible kernel modules.
Scenario: Scheduled job for performance monitoring
Description: A scheduled job (e.g., via cron or systemd-timedate) may run a script that enables BPF kprobes for performance analysis.
Filter/Exclusion: Exclude commands that appear in cron jobs or systemd timers (e.g., /etc/cron.d/, /etc/systemd/system/timer.target).
Scenario: Debugging with BCC (BPF Compiler Collection)
Description: Tools like bcc or bpftrace may use BPF kprobes for debugging or monitoring purposes, which could trigger the rule.
Filter/Exclusion: Filter commands that include bcc, bpftrace, or tracepoint and check for known BCC tooling usage patterns.
Scenario: Security tool integration with BPF tracing
Description: Security tools such as OSSEC, Suricata, or Zeek may use BPF kprobes for enhanced packet inspection or event logging.
Filter/Exclusion: Exclude commands that are part