Sudoers File Modification

A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/13"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 6min_stack_version = "8.6.0"
 7updated_date = "2023/12/18"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
13advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Sudoers File Modification"
20risk_score = 47
21rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
22severity = "medium"
23tags = [
24        "Domain: Endpoint",
25        "OS: Linux",
26        "OS: macOS",
27        "Use Case: Threat Detection",
28        "Tactic: Privilege Escalation",
29        "Data Source: Elastic Defend"
30        ]
31timestamp_override = "event.ingested"
32type = "new_terms"
33
34query = '''
35event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
36not process.name:(dpkg or platform-python or puppet or yum or dnf) and 
37not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1548"
45name = "Abuse Elevation Control Mechanism"
46reference = "https://attack.mitre.org/techniques/T1548/"
47
48[[rule.threat.technique.subtechnique]]
49id = "T1548.003"
50name = "Sudo and Sudo Caching"
51reference = "https://attack.mitre.org/techniques/T1548/003/"
52
53[rule.threat.tactic]
54id = "TA0004"
55name = "Privilege Escalation"
56reference = "https://attack.mitre.org/tactics/TA0004/"
57
58[rule.new_terms]
59field = "new_terms_fields"
60value = ["host.id", "process.executable", "file.path"]
61
62[[rule.new_terms.history_window_start]]
63field = "history_window_start"
64value = "now-7d"

Related rules

to-top