BPF Map Poisoning: Attacking the EDR from the Inside
Most evasion techniques work by flying under the radar. You use an anonymous mmap instead of a file, you call syscalls directly to skip libc hooks, you execute from a memfd so fanotify never sees a path. All of that works by avoiding the EDR’s detection surface. BPF Map Poisoning is different. Instead of avoiding the EDR, you walk straight into it and rewrite its memory. I use Falco as the demo target throughout this post because it is open-source, auditable, and easy to reproduce in a lab. Falco is not a traditional EDR, it’s a runtime security tool. But the attack surface here is architectural, not Falco-specific. CrowdStrike Falcon on Linux, Elastic Defend, Tetragon, and any other security tool that stores monitoring state in BPF maps share the same problem: if the maps are not protected by security_bpf_map LSM enforcement, they can be read and written by any privileged process using the standard bpf(2) API. The demo is Falco. The implication extends to everything that follows the same design. ...