Skip to content

System Request Key Configuration Modification Detection

Intro

The SystemRequestKeyConfigModification signature detects modifications to the System Request Key configuration files, which are powerful utilities that allow direct kernel input.

Description

The System Request Key (often abbreviated as SysRq) is a mechanism in the Linux kernel that provides a way to send commands directly to the kernel via key combinations.

These combinations allow, among other things, a user to perform various low-level commands regardless of the system's state. Because of its potent capabilities, any unauthorized or suspicious modifications to its configurations could indicate adversarial activity.

Specifically, this signature focuses on detecting attempts to modify and activate the System Request Key configuration files located at /proc/sys/kernel/sysrq and /proc/sysrq-trigger.

Purpose

The primary objective of this signature is to detect and flag any unauthorized or suspicious modifications to the System Request Key configuration. Such modifications could allow an adversary to immediately shut down or restart a system. Moreover, if combined with read access to kernel logs, it might leak sensitive host-related information, enabling potential container escape tactics.

Metadata

  • ID: TRC-1031
  • Version: 1
  • Name: System request key configuration modification
  • EventName: system_request_key_mod
  • Description: The signature detects modifications to the System Request Key configuration files. Unauthorized or malicious alterations to these files can grant the ability to shut down or restart systems and disclose host-related data that can potentially be used for container escapes.
  • Properties:
  • Severity: 3 (Moderate threat level)
  • Category: privilege-escalation
  • Technique: Escape to Host
  • Kubernetes_Technique: N/A
  • id: attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665
  • external_id: T1611

Findings

Upon detecting a potential threat, the signature returns a Finding data structure, comprising:

  • SigMetadata: Metadata about the threat based on the signature.
  • Event: Details of the event that caused the signature to trigger.
  • Data: Currently set to nil, meaning no extra information is provided in this structure.

Events Used

The signature is contingent on the following events:

  • security_file_open: Activated when a file is accessed. The signature examines the accessed file's pathname and flags to determine if the System Request Key configuration files are being modified.