legitimate administrative activity modifying sysrq for debugging or recovery. please update the filter macros to remove false positives.

t1059.004
t1489
t1499
t1529
endpoint
splunk

Techniques

T1059.004
T1489
T1499
T1529

Sample rules

Linux Magic SysRq Key Abuse

source: splunk
technicques:
- T1059.004
- T1529
- T1489
- T1499

Description

Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system. Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. Monitoring SysRq abuse helps detect stealthy post-exploitation activity.

Detection logic

`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/kernel/sysrq" OR name="/etc/sysctl.conf" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by dest name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_magic_sysrq_key_abuse_filter`