Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Sigma rule (View on GitHub)

 1title: Persistence Via Sudoers Files
 2id: ddb26b76-4447-4807-871f-1b035b2bfa5d
 3status: test
 4description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
 5references:
 6    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-05
 9modified: 2022-12-31
10tags:
11    - attack.persistence
12    - attack.t1053.003
13logsource:
14    product: linux
15    category: file_event
16detection:
17    selection:
18        TargetFilename|startswith: '/etc/sudoers.d/'
19    condition: selection
20falsepositives:
21    - Creation of legitimate files in sudoers.d folder part of administrator work
22level: medium

References

Related rules

to-top