Potential Sudo Hijacking
Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/26"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and
11replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or
12enable persistence onto the system every time the sudo binary is executed.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.file*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Sudo Hijacking"
19references = [
20 "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/",
21 "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
22]
23risk_score = 47
24rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce"
25setup = """## Setup
26
27This rule requires data coming in from Elastic Defend.
28
29### Elastic Defend Integration Setup
30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
31
32#### Prerequisite Requirements:
33- Fleet is required for Elastic Defend.
34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
35
36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
37- Go to the Kibana home page and click "Add integrations".
38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
39- Click "Add Elastic Defend".
40- Configure the integration name and optionally add a description.
41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
46- Click "Save and Continue".
47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
49"""
50severity = "medium"
51tags = [
52 "Domain: Endpoint",
53 "OS: Linux",
54 "Use Case: Threat Detection",
55 "Tactic: Privilege Escalation",
56 "Tactic: Persistence",
57 "Data Source: Elastic Defend",
58 "Resources: Investigation Guide",
59]
60timestamp_override = "event.ingested"
61type = "eql"
62
63query = '''
64file where host.os.type == "linux" and event.action in ("creation", "rename") and
65file.path in ("/usr/bin/sudo", "/bin/sudo") and not (
66 file.Ext.original.path in ("/usr/bin/sudo", "/bin/sudo") or
67 process.executable in (
68 "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
69 "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf",
70 "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman",
71 "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt",
72 "/usr/sbin/pacman", "/usr/bin/microdnf", "/usr/local/bin/dockerd", "/usr/local/bin/podman", "/usr/local/bin/dnf",
73 "/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark"
74 ) or
75 file.Ext.original.extension == "dpkg-new" or
76 process.executable : (
77 "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/var/lib/docker/*"
78 ) or
79 process.executable == null or
80 (process.name == "sed" and file.name : "sed*")
81)
82'''
83note = """## Triage and analysis
84
85> **Disclaimer**:
86> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
87
88### Investigating Potential Sudo Hijacking
89
90Sudo is a critical utility in Linux environments, allowing users to execute commands with elevated privileges. Adversaries may exploit this by replacing the sudo binary with a malicious version to capture passwords or maintain persistence. The detection rule identifies suspicious creation or renaming of the sudo binary, excluding legitimate package management processes, to flag potential hijacking attempts.
91
92### Possible investigation steps
93
94- Review the file creation or rename event details to confirm the file path is either /usr/bin/sudo or /bin/sudo, as these are critical locations for the sudo binary.
95- Check the process executable that triggered the event to ensure it is not part of the legitimate package management processes listed in the query, such as /bin/dpkg or /usr/bin/yum.
96- Investigate the user account associated with the event to determine if the activity aligns with their typical behavior or if it appears suspicious.
97- Examine the system logs around the time of the event for any unusual activity or errors that might indicate tampering or unauthorized access.
98- Verify the integrity of the current sudo binary by comparing its hash with a known good version to detect any unauthorized modifications.
99- Assess the system for any additional signs of compromise, such as unexpected network connections or new user accounts, which may indicate broader malicious activity.
100
101### False positive analysis
102
103- Package management processes can trigger false positives when legitimate updates or installations occur. To handle this, ensure that processes like dpkg, rpm, yum, and apt are included in the exclusion list as they are common package managers.
104- Custom scripts or automation tools that modify the sudo binary for legitimate reasons may cause alerts. Review these scripts and consider adding their paths to the exclusion list if they are verified as safe.
105- Temporary files or directories used during legitimate software installations or updates, such as those in /var/lib/dpkg or /tmp, can lead to false positives. Exclude these paths if they are part of a known and safe process.
106- Development or testing environments where sudo binaries are frequently modified for testing purposes might trigger alerts. In such cases, consider excluding these environments from monitoring or adding specific exclusions for known safe modifications.
107- Ensure that any process or executable that is known to interact with the sudo binary in a non-malicious way is added to the exclusion list to prevent unnecessary alerts.
108
109### Response and remediation
110
111- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
112- Verify the integrity of the sudo binary by comparing its hash with a known good version from a trusted source. If compromised, replace it with the legitimate binary.
113- Conduct a thorough review of system logs and the process execution history to identify any unauthorized changes or suspicious activities related to the sudo binary.
114- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential theft.
115- Implement additional monitoring on the affected system and similar environments to detect any further attempts to modify critical binaries or escalate privileges.
116- Escalate the incident to the security operations team for a comprehensive investigation and to determine if other systems may be affected.
117- Review and update access controls and permissions to ensure that only authorized personnel can modify critical system binaries."""
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1548"
124name = "Abuse Elevation Control Mechanism"
125reference = "https://attack.mitre.org/techniques/T1548/"
126[[rule.threat.technique.subtechnique]]
127id = "T1548.003"
128name = "Sudo and Sudo Caching"
129reference = "https://attack.mitre.org/techniques/T1548/003/"
130
131
132
133[rule.threat.tactic]
134id = "TA0004"
135name = "Privilege Escalation"
136reference = "https://attack.mitre.org/tactics/TA0004/"
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139[[rule.threat.technique]]
140id = "T1574"
141name = "Hijack Execution Flow"
142reference = "https://attack.mitre.org/techniques/T1574/"
143
144
145[rule.threat.tactic]
146id = "TA0003"
147name = "Persistence"
148reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Sudo Hijacking
Sudo is a critical utility in Linux environments, allowing users to execute commands with elevated privileges. Adversaries may exploit this by replacing the sudo binary with a malicious version to capture passwords or maintain persistence. The detection rule identifies suspicious creation or renaming of the sudo binary, excluding legitimate package management processes, to flag potential hijacking attempts.
Possible investigation steps
- Review the file creation or rename event details to confirm the file path is either /usr/bin/sudo or /bin/sudo, as these are critical locations for the sudo binary.
- Check the process executable that triggered the event to ensure it is not part of the legitimate package management processes listed in the query, such as /bin/dpkg or /usr/bin/yum.
- Investigate the user account associated with the event to determine if the activity aligns with their typical behavior or if it appears suspicious.
- Examine the system logs around the time of the event for any unusual activity or errors that might indicate tampering or unauthorized access.
- Verify the integrity of the current sudo binary by comparing its hash with a known good version to detect any unauthorized modifications.
- Assess the system for any additional signs of compromise, such as unexpected network connections or new user accounts, which may indicate broader malicious activity.
False positive analysis
- Package management processes can trigger false positives when legitimate updates or installations occur. To handle this, ensure that processes like dpkg, rpm, yum, and apt are included in the exclusion list as they are common package managers.
- Custom scripts or automation tools that modify the sudo binary for legitimate reasons may cause alerts. Review these scripts and consider adding their paths to the exclusion list if they are verified as safe.
- Temporary files or directories used during legitimate software installations or updates, such as those in /var/lib/dpkg or /tmp, can lead to false positives. Exclude these paths if they are part of a known and safe process.
- Development or testing environments where sudo binaries are frequently modified for testing purposes might trigger alerts. In such cases, consider excluding these environments from monitoring or adding specific exclusions for known safe modifications.
- Ensure that any process or executable that is known to interact with the sudo binary in a non-malicious way is added to the exclusion list to prevent unnecessary alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
- Verify the integrity of the sudo binary by comparing its hash with a known good version from a trusted source. If compromised, replace it with the legitimate binary.
- Conduct a thorough review of system logs and the process execution history to identify any unauthorized changes or suspicious activities related to the sudo binary.
- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential theft.
- Implement additional monitoring on the affected system and similar environments to detect any further attempts to modify critical binaries or escalate privileges.
- Escalate the incident to the security operations team for a comprehensive investigation and to determine if other systems may be affected.
- Review and update access controls and permissions to ensure that only authorized personnel can modify critical system binaries.
References
Related rules
- At Job Created or Modified
- Cron Job Created or Modified
- Kernel Load or Unload via Kexec Detected
- Potential Suspicious File Edit
- Privilege Escalation via SUID/SGID