GitHub Repo

Detection: Linux Magic SysRq Key Abuse

Updated Date: 2025-11-27 ID: 22c03600-f84a-47fa-abaa-ffbe3e72c782 Author: Milad Cheraghi Type: TTP Product: Splunk Enterprise Security

Description

Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system. Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. Monitoring SysRq abuse helps detect stealthy post-exploitation activity. Correlate with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.

 1`linux_auditd`
 2(type=PATH OR type=CWD)
 3
 4| rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
 5
 6
 7| stats
 8  values(type) as types
 9  values(name) as names
10  values(nametype) as nametype
11  values(cwd) as cwd_list
12  values(_time) as event_times
13  by audit_id, host
14
15
16| eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
17
18| eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
19
20| eval matched_paths = mvfilter(match(candidate_paths, ".*/proc/sysrq-trigger
21|.*/proc/sys/kernel/sysrq
22|.*/etc/sysctl.conf"))
23
24| eval match_count = mvcount(matched_paths)
25
26| eval reconstructed_path = mvindex(matched_paths, 0)
27
28| eval e_time = mvindex(event_times, 0)
29
30| where match_count > 0
31
32| rename host as dest
33
34
35| stats count min(e_time) as firstTime max(e_time) as lastTime
36  values(nametype) as nametype
37  by current_working_directory
38     reconstructed_path
39     match_count
40     dest
41     audit_id
42
43
44| `security_content_ctime(firstTime)`
45
46| `security_content_ctime(lastTime)`
47
48| `linux_magic_sysrq_key_abuse_filter`

Data Source

Name Platform Sourcetype Source
Linux Auditd Cwd Linux icon Linux 'auditd' 'auditd'
Linux Auditd Path Linux icon Linux 'auditd' 'auditd'

Macros Used

Name Value
linux_auditd sourcetype="auditd"
linux_magic_sysrq_key_abuse_filter search *
linux_magic_sysrq_key_abuse_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1059.004 Unix Shell Execution
T1529 System Shutdown/Reboot Impact
T1489 Service Stop Impact
T1499 Endpoint Denial of Service Impact
Actions on Objectives
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this detection, ensure auditd is configured to watch:

  • /proc/sysrq-trigger
  • /proc/sys/kernel/sysrq
  • /etc/sysctl.conf with write and attribute changes (-p wa) and key sysrq. Make sure the type=CWD record type is activate in your auditd configuration and Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization. This enables effective monitoring of Linux endpoints for SysRq abuse.

Known False Positives

Legitimate administrative activity modifying SysRq for debugging or recovery. Please update the filter macros to remove false positives.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Abuse of the Linux Magic System Request key detected on host - [$dest$]

Risk Object Risk Object Type Risk Score Threat Objects
dest system 70 No Threat Objects

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset auditd auditd
Integration ✅ Passing Dataset auditd auditd

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2