From a1b9065a1927d3193b93b4caaf5a039756c1c004 Mon Sep 17 00:00:00 2001
From: Zandmann <72525963+Zandmann@users.noreply.github.com>
Date: Wed, 10 Aug 2022 19:12:35 +0200
Subject: [PATCH 1/4] Create
 BPFDoor_abnormal_process_id_or_lock_file_accessed.yml

detection for BPFDoor IoC files run from temporary file storage
---
 ...ormal_process_id_or_lock_file_accessed.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml

diff --git a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml b/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml
new file mode 100644
index 000000000..fcc7d86c8
--- /dev/null
+++ b/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml
@@ -0,0 +1,28 @@
+title: BPFDoor Abnormal Process ID or Lock File Accessed
+id: 808146b2-9332-4d78-9416-d7e47012d83d
+status: experimental
+description: detects BPFDoor .lock and .pid files access in temporary file storage facility
+author: Rafal Piasecki
+date: 2022/08/10
+references: 
+    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
+    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
+logsource:
+   product: linux
+   service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name:
+            - /var/run/haldrund.pid
+            - /var/run/xinetd.lock
+            - /var/run/kdevrund.pid
+    condition: selection
+tags:
+   - attack.execution
+   - attack.T1106
+   - attack.T1070
+   - attack.T1059
+falsepositives:
+   - Less Likely
+level: high

From f001d35c8bd90998ffaba0deb091550fceabb424 Mon Sep 17 00:00:00 2001
From: Zandmann <72525963+Zandmann@users.noreply.github.com>
Date: Thu, 11 Aug 2022 18:59:58 +0200
Subject: [PATCH 2/4] Update and rename
 BPFDoor_abnormal_process_id_or_lock_file_accessed.yml to
 lnx_auditd_BPFDoor_file_accessed.yml

---
 ...ile_accessed.yml => lnx_auditd_BPFDoor_file_accessed.yml} | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 rename rules/linux/auditd/{BPFDoor_abnormal_process_id_or_lock_file_accessed.yml => lnx_auditd_BPFDoor_file_accessed.yml} (93%)

diff --git a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml b/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml
similarity index 93%
rename from rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml
rename to rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml
index fcc7d86c8..0c5ceb1ce 100644
--- a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml
+++ b/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml
@@ -20,9 +20,8 @@ detection:
     condition: selection
 tags:
    - attack.execution
-   - attack.T1106
-   - attack.T1070
-   - attack.T1059
+   - attack.t1106
+   - attack.t1059
 falsepositives:
    - Less Likely
 level: high

From 28ee157216014ee338d2c00c5a6f7ada7cd64c5e Mon Sep 17 00:00:00 2001
From: Zandmann <72525963+Zandmann@users.noreply.github.com>
Date: Thu, 11 Aug 2022 19:32:17 +0200
Subject: [PATCH 3/4] Rename lnx_auditd_BPFDoor_file_accessed.yml to
 lnx_auditd_bpfdoor_file_accessed.yml

---
 ...oor_file_accessed.yml => lnx_auditd_bpfdoor_file_accessed.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rules/linux/auditd/{lnx_auditd_BPFDoor_file_accessed.yml => lnx_auditd_bpfdoor_file_accessed.yml} (100%)

diff --git a/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
similarity index 100%
rename from rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml
rename to rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml

From 5bc4b2de27d5ac803204f9891df23e0831ba9ba0 Mon Sep 17 00:00:00 2001
From: Zandmann <72525963+Zandmann@users.noreply.github.com>
Date: Fri, 12 Aug 2022 21:39:11 +0200
Subject: [PATCH 4/4] Update lnx_auditd_bpfdoor_file_accessed.yml

---
 rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
index 0c5ceb1ce..1c948709a 100644
--- a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
+++ b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
@@ -23,5 +23,5 @@ tags:
    - attack.t1106
    - attack.t1059
 falsepositives:
-   - Less Likely
+   - Unlikely
 level: high