Potential Abuse of Linux Magic System Request Key

Rule Info

Name
Potential Abuse of Linux Magic System Request Key
Author
Milad Cheraghi
Description
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
Reference
https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
Date
2025-05-23 00:00:00
Modified
None
Id
ea61bb82-a5e0-42e6-8537-91d29500f1b9
Tags
attack.execution attack.t1059.004 attack.impact attack.t1529 attack.t1489 attack.t1499
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ea61bb82-a5e0-42e6-8537-91d29500f1b9

Rule History

Author
Title
Date
Commit
Milad Cheraghi
Merge PR #5432 from @CheraghiMilad - Potential Abuse of Linux Magic System Request Key
2025-05-31
5a1e44c52
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022