Potential Sudo Hijacking

Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/07/26"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and
 11replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or
 12enable persistence onto the system every time the sudo binary is executed.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.file*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Sudo Hijacking"
 19references = [
 20    "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/",
 21    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
 22]
 23risk_score = 47
 24rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "medium"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: Linux",
 54    "Use Case: Threat Detection",
 55    "Tactic: Privilege Escalation",
 56    "Tactic: Persistence",
 57    "Data Source: Elastic Defend",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "eql"
 62
 63query = '''
 64file where host.os.type == "linux" and event.action in ("creation", "rename") and
 65file.path in ("/usr/bin/sudo", "/bin/sudo") and not (
 66  file.Ext.original.path in ("/usr/bin/sudo", "/bin/sudo") or
 67  process.executable in (
 68    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
 69    "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf",
 70    "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman",
 71    "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt",
 72    "/usr/sbin/pacman", "/usr/bin/microdnf", "/usr/local/bin/dockerd", "/usr/local/bin/podman", "/usr/local/bin/dnf",
 73    "/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark"
 74  ) or
 75  file.Ext.original.extension == "dpkg-new" or
 76  process.executable : (
 77    "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/var/lib/docker/*"
 78  ) or
 79  process.executable == null or
 80  (process.name == "sed" and file.name : "sed*")
 81)
 82'''
 83note = """## Triage and analysis
 84
 85> **Disclaimer**:
 86> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 87
 88### Investigating Potential Sudo Hijacking
 89
 90Sudo is a critical utility in Linux environments, allowing users to execute commands with elevated privileges. Adversaries may exploit this by replacing the sudo binary with a malicious version to capture passwords or maintain persistence. The detection rule identifies suspicious creation or renaming of the sudo binary, excluding legitimate package management processes, to flag potential hijacking attempts.
 91
 92### Possible investigation steps
 93
 94- Review the file creation or rename event details to confirm the file path is either /usr/bin/sudo or /bin/sudo, as these are critical locations for the sudo binary.
 95- Check the process executable that triggered the event to ensure it is not part of the legitimate package management processes listed in the query, such as /bin/dpkg or /usr/bin/yum.
 96- Investigate the user account associated with the event to determine if the activity aligns with their typical behavior or if it appears suspicious.
 97- Examine the system logs around the time of the event for any unusual activity or errors that might indicate tampering or unauthorized access.
 98- Verify the integrity of the current sudo binary by comparing its hash with a known good version to detect any unauthorized modifications.
 99- Assess the system for any additional signs of compromise, such as unexpected network connections or new user accounts, which may indicate broader malicious activity.
100
101### False positive analysis
102
103- Package management processes can trigger false positives when legitimate updates or installations occur. To handle this, ensure that processes like dpkg, rpm, yum, and apt are included in the exclusion list as they are common package managers.
104- Custom scripts or automation tools that modify the sudo binary for legitimate reasons may cause alerts. Review these scripts and consider adding their paths to the exclusion list if they are verified as safe.
105- Temporary files or directories used during legitimate software installations or updates, such as those in /var/lib/dpkg or /tmp, can lead to false positives. Exclude these paths if they are part of a known and safe process.
106- Development or testing environments where sudo binaries are frequently modified for testing purposes might trigger alerts. In such cases, consider excluding these environments from monitoring or adding specific exclusions for known safe modifications.
107- Ensure that any process or executable that is known to interact with the sudo binary in a non-malicious way is added to the exclusion list to prevent unnecessary alerts.
108
109### Response and remediation
110
111- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
112- Verify the integrity of the sudo binary by comparing its hash with a known good version from a trusted source. If compromised, replace it with the legitimate binary.
113- Conduct a thorough review of system logs and the process execution history to identify any unauthorized changes or suspicious activities related to the sudo binary.
114- Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential theft.
115- Implement additional monitoring on the affected system and similar environments to detect any further attempts to modify critical binaries or escalate privileges.
116- Escalate the incident to the security operations team for a comprehensive investigation and to determine if other systems may be affected.
117- Review and update access controls and permissions to ensure that only authorized personnel can modify critical system binaries."""
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1548"
124name = "Abuse Elevation Control Mechanism"
125reference = "https://attack.mitre.org/techniques/T1548/"
126[[rule.threat.technique.subtechnique]]
127id = "T1548.003"
128name = "Sudo and Sudo Caching"
129reference = "https://attack.mitre.org/techniques/T1548/003/"
130
131
132
133[rule.threat.tactic]
134id = "TA0004"
135name = "Privilege Escalation"
136reference = "https://attack.mitre.org/tactics/TA0004/"
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139[[rule.threat.technique]]
140id = "T1574"
141name = "Hijack Execution Flow"
142reference = "https://attack.mitre.org/techniques/T1574/"
143
144
145[rule.threat.tactic]
146id = "TA0003"
147name = "Persistence"
148reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Sudo Hijacking

Sudo is a critical utility in Linux environments, allowing users to execute commands with elevated privileges. Adversaries may exploit this by replacing the sudo binary with a malicious version to capture passwords or maintain persistence. The detection rule identifies suspicious creation or renaming of the sudo binary, excluding legitimate package management processes, to flag potential hijacking attempts.

Possible investigation steps

  • Review the file creation or rename event details to confirm the file path is either /usr/bin/sudo or /bin/sudo, as these are critical locations for the sudo binary.
  • Check the process executable that triggered the event to ensure it is not part of the legitimate package management processes listed in the query, such as /bin/dpkg or /usr/bin/yum.
  • Investigate the user account associated with the event to determine if the activity aligns with their typical behavior or if it appears suspicious.
  • Examine the system logs around the time of the event for any unusual activity or errors that might indicate tampering or unauthorized access.
  • Verify the integrity of the current sudo binary by comparing its hash with a known good version to detect any unauthorized modifications.
  • Assess the system for any additional signs of compromise, such as unexpected network connections or new user accounts, which may indicate broader malicious activity.

False positive analysis

  • Package management processes can trigger false positives when legitimate updates or installations occur. To handle this, ensure that processes like dpkg, rpm, yum, and apt are included in the exclusion list as they are common package managers.
  • Custom scripts or automation tools that modify the sudo binary for legitimate reasons may cause alerts. Review these scripts and consider adding their paths to the exclusion list if they are verified as safe.
  • Temporary files or directories used during legitimate software installations or updates, such as those in /var/lib/dpkg or /tmp, can lead to false positives. Exclude these paths if they are part of a known and safe process.
  • Development or testing environments where sudo binaries are frequently modified for testing purposes might trigger alerts. In such cases, consider excluding these environments from monitoring or adding specific exclusions for known safe modifications.
  • Ensure that any process or executable that is known to interact with the sudo binary in a non-malicious way is added to the exclusion list to prevent unnecessary alerts.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
  • Verify the integrity of the sudo binary by comparing its hash with a known good version from a trusted source. If compromised, replace it with the legitimate binary.
  • Conduct a thorough review of system logs and the process execution history to identify any unauthorized changes or suspicious activities related to the sudo binary.
  • Reset passwords for all user accounts on the affected system, especially those with elevated privileges, to mitigate potential credential theft.
  • Implement additional monitoring on the affected system and similar environments to detect any further attempts to modify critical binaries or escalate privileges.
  • Escalate the incident to the security operations team for a comprehensive investigation and to determine if other systems may be affected.
  • Review and update access controls and permissions to ensure that only authorized personnel can modify critical system binaries.

References

Related rules

to-top