Techniques
Sample rules
Linux Magic SysRq Key Abuse
- source: splunk
- technicques:
- T1059.004
- T1529
- T1489
- T1499
Description
Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system. Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. Monitoring SysRq abuse helps detect stealthy post-exploitation activity. Correlate with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
Detection logic
`linux_auditd`
(type=PATH OR type=CWD)
| rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
| stats
values(type) as types
values(name) as names
values(nametype) as nametype
values(cwd) as cwd_list
values(_time) as event_times
by audit_id, host
| eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
| eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
| eval matched_paths = mvfilter(match(candidate_paths, ".*/proc/sysrq-trigger
|.*/proc/sys/kernel/sysrq
|.*/etc/sysctl.conf"))
| eval match_count = mvcount(matched_paths)
| eval reconstructed_path = mvindex(matched_paths, 0)
| eval e_time = mvindex(event_times, 0)
| where match_count > 0
| rename host as dest
| stats count min(e_time) as firstTime max(e_time) as lastTime
values(nametype) as nametype
by current_working_directory
reconstructed_path
match_count
dest
audit_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_magic_sysrq_key_abuse_filter`