From c87eab6a234ad379014bd67bf6035cfdf4d990a4 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com>
Date: Sat, 4 Oct 2025 21:29:06 +0330
Subject: [PATCH] disable ASLR protection via sysctl (#3192)

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1562.001/T1562.001.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 3b9f1afb..f040979d 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -1358,3 +1358,15 @@ atomic_tests:
       Write-Output "File deleted: $edrFreezeExe"
     name: powershell
     elevation_required: true
+- name: Disable ASLR Via sysctl parameters - Linux
+  auto_generated_guid: 
+  description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sysctl -w kernel.randomize_va_space=0
+    cleanup_command: |
+      sysctl -w kernel.randomize_va_space=2
+    name: bash
+    elevation_required: true