Elastic Security Detection Rules

Kernel Instrumentation Discovery via kprobes and tracefs

Last updated 5 days ago on 2026-02-20
Created 5 days ago on 2026-02-20

About

Detects common utilities accessing kprobes and tracing-related paths in debugfs/tracefs, which may indicate discovery of kernel instrumentation hooks. Adversaries can enumerate these locations to understand or prepare for eBPF, kprobe, or tracepoint-based activity. This behavior can also be benign during troubleshooting, performance analysis, or observability tooling validation.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: DiscoveryTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendData Source: Auditd ManagerData Source: SentinelOneData Source: CrowdstrikeLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

System Information Discovery (T1082)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Rootkit (T1014)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*endgame-*logs-auditd_manager.auditd-*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*logs-crowdstrike.fdr*
Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in (
  "cat", "grep", "head", "tail", "ls",
  "less", "more",
  "awk", "sed", "cut", "tr", "xargs", "tee",
  "find", "stat", "readlink",
  "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox"
) and
process.args like ("/sys/kernel/debug/kprobes/*", "/sys/kernel/debug/tracing/*", "/sys/kernel/tracing/*")

Install detection rules in Elastic Security

Detect Kernel Instrumentation Discovery via kprobes and tracefs in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).