Currently Sysmon uses a BPF_MAP_TYPE_PERF_EVENT_ARRAY map to send output from eBPF programs back to the user mode Sysmon process. This map can easily be either updated or cleared from other user mode programs, leaving Sysmon unable to see the eBPF programs outputs and makes process activities invisible.
Sysmon can use the BPF_MAP_FREEZE syscall option to freeze these output maps to prevent easily disabling of the map from userspace. However, loaded eBPF programs could still delete the map elements and has no known mitigation yet.
Currently Sysmon uses a BPF_MAP_TYPE_PERF_EVENT_ARRAY map to send output from eBPF programs back to the user mode Sysmon process. This map can easily be either updated or cleared from other user mode programs, leaving Sysmon unable to see the eBPF programs outputs and makes process activities invisible.
Sysmon can use the BPF_MAP_FREEZE syscall option to freeze these output maps to prevent easily disabling of the map from userspace. However, loaded eBPF programs could still delete the map elements and has no known mitigation yet.