Suspicious Usage of bpf_probe_write_user Helper

Last updated 3 days ago on 2025-01-28

Created 3 days ago on 2025-01-28

About

This rule monitors the syslog log file for messages related to instances of a program using the `bpf_probe_write_user` helper. The `bpf_probe_write_user` helper is used to write data to user space from a BPF program. Unauthorized use of this helper can be indicative of an eBPF rootkit or other malicious activity.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Boot or Logon Autostart Execution (T1547)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Rootkit (T1014)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-system.syslog-*
Related Integrations: system(opens in a new tab or window)
Query

host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:"bpf_probe_write_user"

Install detection rules in Elastic Security

Detect Suspicious Usage of bpf_probe_write_user Helper in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).