Sudoers File Modification

A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/13"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/09/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
11advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
12"""
13from = "now-9m"
14index = ["auditbeat-*", "logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Sudoers File Modification"
18references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
19risk_score = 47
20rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Linux",
25    "OS: macOS",
26    "Use Case: Threat Detection",
27    "Tactic: Privilege Escalation",
28    "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "new_terms"
32
33query = '''
34event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
35not process.name:(dpkg or platform-python or puppet or yum or dnf) and 
36not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1548"
44name = "Abuse Elevation Control Mechanism"
45reference = "https://attack.mitre.org/techniques/T1548/"
46[[rule.threat.technique.subtechnique]]
47id = "T1548.003"
48name = "Sudo and Sudo Caching"
49reference = "https://attack.mitre.org/techniques/T1548/003/"
50
51
52
53[rule.threat.tactic]
54id = "TA0004"
55name = "Privilege Escalation"
56reference = "https://attack.mitre.org/tactics/TA0004/"
57
58[rule.new_terms]
59field = "new_terms_fields"
60value = ["host.id", "process.executable", "file.path"]
61[[rule.new_terms.history_window_start]]
62field = "history_window_start"
63value = "now-7d"

References

Related rules

to-top