Persistence Via Sudoers Files
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Sigma rule (View on GitHub)
1title: Persistence Via Sudoers Files
2id: ddb26b76-4447-4807-871f-1b035b2bfa5d
3status: test
4description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
5references:
6 - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/05
9modified: 2022/12/31
10tags:
11 - attack.persistence
12 - attack.t1053.003
13logsource:
14 product: linux
15 category: file_event
16detection:
17 selection:
18 TargetFilename|startswith: '/etc/sudoers.d/'
19 condition: selection
20falsepositives:
21 - Creation of legitimate files in sudoers.d folder part of administrator work
22level: medium
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- Triple Cross eBPF Rootkit Default Persistence
- Azure Kubernetes CronJob
- Modifying Crontab
- Persistence Via Cron Files
- Scheduled Cron Task/Job - Linux