Skip to content

[New Rule] Defense evasion eBPF program laod #5644

New issue
New issue
Open
Open
[New Rule] Defense evasion eBPF program laod#5644
Assignees
Aegrah
Labels
Rule: NewProposal for new ruleTeam: TRADEcommunity
@litemars

Description

@litemars
litemars
opened on Jan 29, 2026

Description

Detects suspicious eBPF program loading and manipulation using bpftool, BPF compilation, or kprobe inspection.
This rule complements the existing TC-BPF detection by focusing on direct eBPF program management and rootkit
indicators. This rule specifically targets bpftool usage, eBPF compilation workflows, and
suspicious inspection of kernel probe lists that may indicate rootkit reconnaissance or installation.

Detection of the following cases:

bpftool prog load rootkit.o /sys/fs/bpf/evil
bpftool prog attach pinned /sys/fs/bpf/evil xdp
clang -target bpf -c rootkit.c -o rootkit.o
cat /sys/kernel/debug/kprobes/list

Target Ruleset

linux

Target Rule Type

None

Tested ECS Version

9.2.0

Query

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
(
/* bpftool usage for program loading or manipulation /
(process.name == "bpftool" and process.args : ("prog load", "prog attach*", "map create*", "link*")) or

/* Direct compilation and loading of BPF programs /
(process.name in ("clang", "llc") and process.args : ("-targetbpf", "bpf")) or

/* Loading BPF object files /
(process.name == "bpftool" and process.args : ".o" and process.args : "prog") or

/* Suspicious BPF-related library loading */
(process.name in ("python", "python3") and process.args : ("bcc", "bpf")) or

/* Go-based eBPF programs (common in modern malware) /
(process.executable : ("/tmp/", "/dev/shm/", "/var/tmp/", "/run/*") and
process.name regex~ """[a-z0-9]{8,}""") or

/* Suspicious inspection of kprobes (rootkit indicator) /
(process.name in ("cat", "grep", "head", "tail") and
process.args : "/sys/kernel/debug/kprobes/")
) and
not process.parent.executable : (
"/usr/bin/cilium*",
"/opt/cni/",
"/usr/local/bin/falco",
"/usr/bin/tracee",
"/opt/Elastic/",
"/usr/share/elastic-agent/*"
) and
not user.name in ("cilium", "falco")

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: NewProposal for new ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions