|
| 1 | +name: Linux Magic SysRq Key Abuse |
| 2 | +id: 22c03600-f84a-47fa-abaa-ffbe3e72c782 |
| 3 | +version: 1 |
| 4 | +date: '2025-08-28' |
| 5 | +author: Milad Cheraghi |
| 6 | +status: production |
| 7 | +type: TTP |
| 8 | +description: | |
| 9 | + Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries |
| 10 | + with root or sufficient privileges to manipulate or destabilize a system. |
| 11 | + Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. |
| 12 | + Monitoring SysRq abuse helps detect stealthy post-exploitation activity. |
| 13 | +data_source: |
| 14 | + - Linux Auditd Path |
| 15 | +search: '`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/kernel/sysrq" OR name="/etc/sysctl.conf" |
| 16 | + | rename host as dest |
| 17 | + | stats count min(_time) as firstTime max(_time) as lastTime by dest name |
| 18 | + | `security_content_ctime(firstTime)` |
| 19 | + | `security_content_ctime(lastTime)` |
| 20 | + | `linux_auditd_sysrq_abuse_filter`' |
| 21 | +how_to_implement: | |
| 22 | + To implement this detection, ensure auditd is configured to watch: |
| 23 | + - /proc/sysrq-trigger |
| 24 | + - /proc/sys/kernel/sysrq |
| 25 | + - /etc/sysctl.conf |
| 26 | + with write and attribute changes (`-p wa`) and key `sysrq`. |
| 27 | + Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization. |
| 28 | + This enables effective monitoring of Linux endpoints for SysRq abuse. |
| 29 | +known_false_positives: |
| 30 | + - Legitimate administrative activity modifying SysRq for debugging or recovery. |
| 31 | + - Please update the filter macros to remove false positives. |
| 32 | +references: |
| 33 | + - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt |
| 34 | + - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel |
| 35 | + - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html |
| 36 | +drilldown_searches: |
| 37 | + - name: View the detection results for - "$dest$" |
| 38 | + search: '%original_detection_search% | search dest="$dest$"' |
| 39 | + earliest_offset: $info_min_time$ |
| 40 | + latest_offset: $info_max_time$ |
| 41 | + - name: View risk events for the last 7 days for - "$dest$" |
| 42 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") |
| 43 | + starthoursago=168 |
| 44 | + | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" |
| 45 | + values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" |
| 46 | + values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) |
| 47 | + as "ATT&CK Tactics" by normalized_risk_object |
| 48 | + | `security_content_ctime(firstTime)` |
| 49 | + | `security_content_ctime(lastTime)`' |
| 50 | + earliest_offset: $info_min_time$ |
| 51 | + latest_offset: $info_max_time$ |
| 52 | +rba: |
| 53 | + message: A [$comm$] event was occurred on host - [$dest$] Used the Linux Magic SysRq mechanism. |
| 54 | + risk_objects: |
| 55 | + - field: dest |
| 56 | + type: system |
| 57 | + score: 70 |
| 58 | + threat_objects: [] |
| 59 | +tags: |
| 60 | + analytic_story: |
| 61 | + - Compromised Linux Host |
| 62 | + asset_type: Endpoint |
| 63 | + mitre_attack_id: |
| 64 | + - T1059.004 |
| 65 | + - T1529 |
| 66 | + - T1489 |
| 67 | + - T1499 |
| 68 | + product: |
| 69 | + - Splunk Enterprise |
| 70 | + - Splunk Enterprise Security |
| 71 | + - Splunk Cloud |
| 72 | + security_domain: endpoint |
| 73 | +tests: |
| 74 | + - name: True Positive Test |
| 75 | + attack_data: |
| 76 | + - data: |
| 77 | + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log |
| 78 | + source: auditd |
| 79 | + sourcetype: auditd |
0 commit comments