Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
Sigma rule (View on GitHub)
1title: Potential Abuse of Linux Magic System Request Key
2id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
3status: experimental
4description: |
5 Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
6 to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
7 or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
8 misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
9references:
10 - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
11 - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
12 - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
13author: Milad Cheraghi
14date: 2025-05-23
15tags:
16 - attack.execution
17 - attack.t1059.004
18 - attack.impact
19 - attack.t1529
20 - attack.t1489
21 - attack.t1499
22logsource:
23 product: linux
24 service: auditd
25 definition: |
26 Required auditd configuration:
27 -w /proc/sysrq-trigger -p wa -k sysrq
28 -w /proc/sys/kernel/sysrq -p wa -k sysrq
29detection:
30 selection:
31 type: 'PATH'
32 name|endswith:
33 # Enable
34 - '/sysrq'
35 - '/sysctl.conf'
36 # Execute
37 - '/sysrq-trigger'
38 condition: selection
39falsepositives:
40 - Legitimate administrative activity
41level: medium
References
-
Linux Magic System Request Key Hacks ==================================== Documentation for sysrq.c What is the magic SysRq key? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is a 'magical' key combo you can hit...
Read More -
5.3.9.3. /proc/sys/kernel/ | Reference Guide | Red Hat Enterprise Linux | 4 | Red Hat Documentation
Read More -
The Splunk Threat Research Team shares their findings on the Linux-targeted destructive payload AwfulShred.
Read More
Related rules
- ESXi VM Kill Via ESXCLI
- Silence.EDA Detection
- Suspicious Windows Service Tampering
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript