Potential Privilege Escalation via Sudoers File Modification
A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/26"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage
11of these configurations to execute commands as other users or spawn processes with higher privileges.
12"""
13from = "now-9m"
14index = ["auditbeat-*", "logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential Privilege Escalation via Sudoers File Modification"
18references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
19risk_score = 73
20rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
21severity = "high"
22tags = [
23 "Domain: Endpoint",
24 "OS: Linux",
25 "OS: macOS",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1548"
42name = "Abuse Elevation Control Mechanism"
43reference = "https://attack.mitre.org/techniques/T1548/"
44[[rule.threat.technique.subtechnique]]
45id = "T1548.003"
46name = "Sudo and Sudo Caching"
47reference = "https://attack.mitre.org/techniques/T1548/003/"
48
49
50
51[rule.threat.tactic]
52id = "TA0004"
53name = "Privilege Escalation"
54reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- SUID/SGID Bit Set
- Sudoers File Modification
- Sudo Heap-Based Buffer Overflow Attempt
- At Job Created or Modified
- Potential Reverse Shell Activity via Terminal