From dff8e1f649a4a262fed378174d65a861b4aefeab Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Thu, 28 Aug 2025 15:05:07 +0330 Subject: [PATCH 1/4] added data source for new technique of attack --- .../linux_sysrq_abuse/linux_sysrq_abuse.log.txt | 4 ++++ .../linux_sysrq_abuse/linux_sysrq_abuse.yml.txt | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt create mode 100644 datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt new file mode 100644 index 00000000..b9ddaeb0 --- /dev/null +++ b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt @@ -0,0 +1,4 @@ +{"type": "PATH","msg": "audit(1747951721.229:634)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} +{"type": "PATH","msg": "audit(1747951721.494:677)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} +{"type": "PATH","msg": "audit(1747951721.234:699)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} +{"type": "PATH","msg": "audit(1747951721.546:712)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} \ No newline at end of file diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt new file mode 100644 index 00000000..c1b6750c --- /dev/null +++ b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt @@ -0,0 +1,13 @@ +author: Milad Cheraghi +id: b4b1271b-4529-4f36-9edc-d70765eaa4c0 +date: '2025-08-28' +description: 'Sample of Linux auditd events showing potential abuse of the Magic SysRq key to manipulate or destabilize the system.' +environment: custom +directory: linux_sysrq_abuse +mitre_technique: + - T1529 +datasets: + - name: linux-auditd + path: /datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log + sourcetype: auditd + source: auditd From 1f47717c0feb3e82ecd2c0d136712f65abd5fbae Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Thu, 28 Aug 2025 15:25:21 +0330 Subject: [PATCH 2/4] Update and rename linux_sysrq_abuse.log.txt to linux_sysrq_abuse.log --- .../{linux_sysrq_abuse.log.txt => linux_sysrq_abuse.log} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename datasets/attack_techniques/T1529/linux_sysrq_abuse/{linux_sysrq_abuse.log.txt => linux_sysrq_abuse.log} (95%) diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log similarity index 95% rename from datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt rename to datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log index b9ddaeb0..760a8caa 100644 --- a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log.txt +++ b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log @@ -1,4 +1,5 @@ {"type": "PATH","msg": "audit(1747951721.229:634)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} {"type": "PATH","msg": "audit(1747951721.494:677)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} {"type": "PATH","msg": "audit(1747951721.234:699)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} -{"type": "PATH","msg": "audit(1747951721.546:712)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} \ No newline at end of file + +{"type": "PATH","msg": "audit(1747951721.546:712)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} From 4cf284a964b590999ea2df007b6ace999db420ad Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Thu, 28 Aug 2025 15:25:38 +0330 Subject: [PATCH 3/4] Update and rename linux_sysrq_abuse.yml.txt to linux_sysrq_abuse.yml --- .../{linux_sysrq_abuse.yml.txt => linux_sysrq_abuse.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename datasets/attack_techniques/T1529/linux_sysrq_abuse/{linux_sysrq_abuse.yml.txt => linux_sysrq_abuse.yml} (100%) diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml similarity index 100% rename from datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml.txt rename to datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml From fc4538fc587952a7f996066a0b841d448f418872 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Thu, 28 Aug 2025 23:43:46 +0330 Subject: [PATCH 4/4] fix issue --- .../T1529/linux_sysrq_abuse/linux_sysrq_abuse.log | 8 +++----- .../T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log index 760a8caa..fd4d7471 100644 --- a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log +++ b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log @@ -1,5 +1,3 @@ -{"type": "PATH","msg": "audit(1747951721.229:634)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} -{"type": "PATH","msg": "audit(1747951721.494:677)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} -{"type": "PATH","msg": "audit(1747951721.234:699)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} - -{"type": "PATH","msg": "audit(1747951721.546:712)","item": 1,"name": "/proc/sysrq-trigger","inode": 4026532271,"dev": "00:19","mode": "0100200","ouid": 0,"ogid": 0,"rdev": "00:00","nametype": "NORMAL","cap_fp": 0,"cap_fi": 0,"cap_fe": 0,"cap_fver": 0,"cap_frootid": 0,"OUID": "root","OGID": "root"} +version https://git-lfs.github.com/spec/v1 +oid sha256:62bbba78697c76bb460b5151e4afd88f8383ee179b0722055ef124589989dd74 +size 1198 diff --git a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml index c1b6750c..27783b22 100644 --- a/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml +++ b/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.yml @@ -10,4 +10,4 @@ datasets: - name: linux-auditd path: /datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log sourcetype: auditd - source: auditd + source: auditd \ No newline at end of file