Sigma rules for CVE-2016-0505
52 rules · scoped to cve · back to CVE-2016-0505
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
- attack.execution
- attack.t1059.004
- attack.impact
- attack.t1529
- attack.t1489
- attack.t1499
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /proc/sysrq-trigger -p wa -k sysrq
-w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
selection:
type: 'PATH'
name|endswith:
# Enable
- '/sysrq'
- '/sysctl.conf'
# Execute
- '/sysrq-trigger'
condition: selection
falsepositives:
- Legitimate administrative activity
level: medium
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Set a file's access timestamp
technique: T1070.006
atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
- type: atomic-red-team
name: Set a file's modification timestamp
technique: T1070.006
atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
- type: atomic-red-team
name: Modify file timestamps using reference file
technique: T1070.006
atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50