LoFP / legitimate usage of the unsafe option

Techniques

• t1059
• t1059.004

Sample rules

BPFtrace Unsafe Option Usage

• source: sigma
• technicques:
  • t1059
  • t1059.004

Description

Detects the usage of the unsafe bpftrace option

Detection logic

condition: selection
selection:
  CommandLine|contains: --unsafe
  Image|endswith: bpftrace