Potential Abuse of Linux Magic System Request Key

Original Source: [Sigma source]
Title: Potential Abuse of Linux Magic System Request Key
Status: experimental
Description:Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
References:
  -https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
   -https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
   -https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
 Author: Milad Cheraghi
Date: 2025-05-23
modified:None
Tags:
  • -'attack.execution'
  • -'attack.t1059.004'
  • -'attack.impact'
  • -'attack.t1529'
  • -'attack.t1489'
  • -'attack.t1499'
Logsource:
  • product: linux
  • service: auditd
  • definition: Required auditd configuration: -w /proc/sysrq-trigger -p wa -k sysrq -w /proc/sys/kernel/sysrq -p wa -k sysrq
Detection:
  selection:
    type: 'PATH'
    name|endswith:
      -'/sysrq'
      -'/sysctl.conf'
      -'/sysrq-trigger'

  condition:selection
Falsepositives:
  -Legitimate administrative activity
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.