Persistence Via Sudoers Files

Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003 ·

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Sigma rule (View on GitHub)

 1title: Persistence Via Sudoers Files
 2id: ddb26b76-4447-4807-871f-1b035b2bfa5d
 3status: test
 4description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
 5references:
 6    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-05
 9modified: 2022-12-31
10tags:
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.persistence
14    - attack.t1053.003
15logsource:
16    product: linux
17    category: file_event
18detection:
19    selection:
20        TargetFilename|startswith: '/etc/sudoers.d/'
21    condition: selection
22falsepositives:
23    - Creation of legitimate files in sudoers.d folder part of administrator work
24level: medium

References

TripleCross/apps/deployer.sh at 1f1c3e0958af8ad9f6ebe10ab442e75de33e91de · h3xduck/TripleCross

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross

Read More

Persistence Via Sudoers Files

Sigma rule (View on GitHub)

References

TripleCross/apps/deployer.sh at 1f1c3e0958af8ad9f6ebe10ab442e75de33e91de · h3xduck/TripleCross

Related rules