Originally designed to optimise the performance of Linux systems, the eBPF (extended Berkeley Packet Filter) has rapidly established itself as a strategic component in computer security.
Versatility, execution privileges and code verification make eBPF an extremely useful tool for collecting detailed information in real time, without compromising the stability of the kernel. However, it is precisely these characteristics that make it a particularly suitable technology for the realisation of malicious implantssuch as the rootkit.
With the increasing adoption of eBPFs in tools for monitoring, networking and runtime protection, the available attack surface is progressively widening and the risk of abuse is no longer theoretical, but concretely applicable, especially in environments containerised and multi-tenant.
Next’s new DFIR study thus opens a series of publications dedicated to the analysis of eBPF abuse in an offensive context, with the aim of:
- explore the malicious potential of eBPF programmes;
- outline possible detection and mitigation methodologies;
- present techniques and tools useful for DFIR teams and SOC centres to detect eBPF rootkit activities.
In this first publication, we offer a theoretical overview of scenarios in which the offensive use of eBPF offers concrete advantages to malicious actors, with references to academic studies and malware used in real-life activities.
If you wish to learn more, here is the link to our comprehensive study.
In addition, you can subscribe to the specific mailing list Cyber Studios by Tinexta Defenceto receive updates on upcoming research:
