Potential Privilege Escalation via Sudoers File Modification

 1[metadata]
 2creation_date = "2021/01/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage
13of these configurations to execute commands as other users or spawn processes with higher privileges.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential Privilege Escalation via Sudoers File Modification"
20risk_score = 73
21rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
22severity = "high"
23tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "query"
26
27query = '''
28event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)
29'''
30
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1548"
36name = "Abuse Elevation Control Mechanism"
37reference = "https://attack.mitre.org/techniques/T1548/"
38[[rule.threat.technique.subtechnique]]
39id = "T1548.003"
40name = "Sudo and Sudo Caching"
41reference = "https://attack.mitre.org/techniques/T1548/003/"
42
43
44
45[rule.threat.tactic]
46id = "TA0004"
47name = "Privilege Escalation"
48reference = "https://attack.mitre.org/tactics/TA0004/"