The RedMenshen-BPFDoor-backdoor rule detects the use of a custom backdoor leveraging BPF to enable remote code execution and persistent access on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential Red Menshen adversary activity that could lead to long-term system control and data exfiltration.
KQL Query
DeviceProcessEvents
| where InitiatingProcessCommandLine has ("/dev/shm/kdmtmpflush") or FileName has_any ("haldrund.pid", "kdevrund.pid")
id: bfb8eaed-941c-4866-a2cc-d5d4465bfc2a
name: RedMenshen-BPFDoor-backdoor
description: |
This query was originally published by PWC Security Research Team.
BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute codes without opening any new network ports or firewall rules.
References:
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
relevantTechniques:
- T1095
- T1059.004
- T1070
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has ("/dev/shm/kdmtmpflush") or FileName has_any ("haldrund.pid", "kdevrund.pid")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate BPF (Berkeley Packet Filter) usage by network monitoring tools
Description: Network monitoring tools like Wireshark or tcpdump may use BPF to filter and capture packets, which could trigger the BPFDoor detection rule.
Filter/Exclusion: Check for process names like tcpdump, wireshark, or tshark in the process tree. Exclude processes with these exact names.
Scenario: Scheduled system maintenance tasks using BPF filters
Description: System administrators may use BPF filters in systemd or crontab jobs for network traffic analysis or log filtering, which could be flagged as suspicious.
Filter/Exclusion: Exclude tasks scheduled via crontab or systemd with known maintenance scripts. Use process names like systemd or cron as exclusion criteria.
Scenario: Security tool or EDR (Endpoint Detection and Response) agent using BPF
Description: Security tools like CrowdStrike Falcon, SentinelOne, or Microsoft Defender ATP may use BPF for packet inspection or telemetry, which could be mistaken for malicious activity.
Filter/Exclusion: Exclude processes associated with known EDR/EDR tools by their exact process names or hash signatures.
Scenario: Admin task involving packet capture for troubleshooting
Description: IT admins may use tcpdump or tshark to capture network traffic for troubleshooting purposes, which could be flagged by the rule.
Filter/Exclusion: Exclude processes initiated by admin accounts with known legitimate tools, or filter based on command-line arguments containing tcpdump or tshark.
Scenario: Legitimate BPF-based firewall rule configuration
Description: Firewalls like iptables or nftables may