From acaceb8d182c74ac3e27280d1c1720919349f9a0 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <cheraghimiladmail@gmail.com>
Date: Thu, 28 Aug 2025 15:10:04 +0330
Subject: [PATCH 1/3] Added new technique for linux - magic system request key

---
 .../linux_auditd_magic_system_request_key.yml | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 detections/endpoint/linux_auditd_magic_system_request_key.yml

diff --git a/detections/endpoint/linux_auditd_magic_system_request_key.yml b/detections/endpoint/linux_auditd_magic_system_request_key.yml
new file mode 100644
index 0000000000..d80b5fc09a
--- /dev/null
+++ b/detections/endpoint/linux_auditd_magic_system_request_key.yml
@@ -0,0 +1,79 @@
+name: Linux Magic SysRq Key Abuse
+id: 22c03600-f84a-47fa-abaa-ffbe3e72c782
+version: 1
+date: '2025-08-28'
+author: Milad Cheraghi
+status: production
+type: TTP
+description: |
+  Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries
+  with root or sufficient privileges to manipulate or destabilize a system.
+  Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging.
+  Monitoring SysRq abuse helps detect stealthy post-exploitation activity.
+data_source:
+  - Linux Auditd Path
+search: '`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/kernel/sysrq" OR name="/etc/sysctl.conf"
+  | rename host as dest
+  | stats count min(_time) as firstTime max(_time) as lastTime by dest name
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_sysrq_abuse_filter`'
+how_to_implement: |
+  To implement this detection, ensure auditd is configured to watch:
+    - /proc/sysrq-trigger
+    - /proc/sys/kernel/sysrq
+    - /etc/sysctl.conf
+  with write and attribute changes (`-p wa`) and key `sysrq`.
+  Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization.
+  This enables effective monitoring of Linux endpoints for SysRq abuse.
+known_false_positives:
+  - Legitimate administrative activity modifying SysRq for debugging or recovery.
+  - Please update the filter macros to remove false positives.
+references:
+  - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
+  - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
+  - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
+drilldown_searches:
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search dest="$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168
+      | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
+        values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
+        values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+        as "ATT&CK Tactics" by normalized_risk_object
+      | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: A [$comm$] event was occurred on host - [$dest$] Used the Linux Magic SysRq mechanism.
+  risk_objects:
+    - field: dest
+      type: system
+      score: 70
+  threat_objects: []
+tags:
+  analytic_story:
+    - Compromised Linux Host
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1059.004
+    - T1529
+    - T1489
+    - T1499
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data:
+          https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log
+        source: auditd
+        sourcetype: auditd

From 1eefd8ffb6729330dd0f1badc49c902a5755299c Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <cheraghimiladmail@gmail.com>
Date: Thu, 28 Aug 2025 22:36:02 +0330
Subject: [PATCH 2/3] Macro and message issue fixed

---
 .../endpoint/linux_auditd_magic_system_request_key.yml   | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/detections/endpoint/linux_auditd_magic_system_request_key.yml b/detections/endpoint/linux_auditd_magic_system_request_key.yml
index d80b5fc09a..3334a8ea4a 100644
--- a/detections/endpoint/linux_auditd_magic_system_request_key.yml
+++ b/detections/endpoint/linux_auditd_magic_system_request_key.yml
@@ -17,7 +17,7 @@ search: '`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/
   | stats count min(_time) as firstTime max(_time) as lastTime by dest name
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `linux_auditd_sysrq_abuse_filter`'
+  | `linux_macro_sysrq_abuse_filter`'
 how_to_implement: |
   To implement this detection, ensure auditd is configured to watch:
     - /proc/sysrq-trigger
@@ -26,9 +26,8 @@ how_to_implement: |
   with write and attribute changes (`-p wa`) and key `sysrq`.
   Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization.
   This enables effective monitoring of Linux endpoints for SysRq abuse.
-known_false_positives:
-  - Legitimate administrative activity modifying SysRq for debugging or recovery.
-  - Please update the filter macros to remove false positives.
+known_false_positives: Legitimate administrative activity modifying SysRq for debugging or recovery.
+  Please update the filter macros to remove false positives.
 references:
   - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
   - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
@@ -50,7 +49,7 @@ drilldown_searches:
     earliest_offset: $info_min_time$
     latest_offset: $info_max_time$
 rba:
-  message: A [$comm$] event was occurred on host - [$dest$] Used the Linux Magic SysRq mechanism.
+  message: Abuse of the Linux Magic System Request key detected on host - [$dest$]
   risk_objects:
     - field: dest
       type: system

From 8af6a9083970fbc3d4f3189ceb237d5380f63907 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <cheraghimiladmail@gmail.com>
Date: Fri, 29 Aug 2025 00:54:42 +0330
Subject: [PATCH 3/3] file name issue fix

---
 ...c_system_request_key.yml => linux_magic_sysrq_key_abuse.yml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename detections/endpoint/{linux_auditd_magic_system_request_key.yml => linux_magic_sysrq_key_abuse.yml} (98%)

diff --git a/detections/endpoint/linux_auditd_magic_system_request_key.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml
similarity index 98%
rename from detections/endpoint/linux_auditd_magic_system_request_key.yml
rename to detections/endpoint/linux_magic_sysrq_key_abuse.yml
index 3334a8ea4a..0842ad2b7c 100644
--- a/detections/endpoint/linux_auditd_magic_system_request_key.yml
+++ b/detections/endpoint/linux_magic_sysrq_key_abuse.yml
@@ -17,7 +17,7 @@ search: '`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/
   | stats count min(_time) as firstTime max(_time) as lastTime by dest name
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `linux_macro_sysrq_abuse_filter`'
+  | `linux_magic_sysrq_key_abuse_filter`'
 how_to_implement: |
   To implement this detection, ensure auditd is configured to watch:
     - /proc/sysrq-trigger