Persistence Via Sudoers.d Files
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems. Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
Sigma rule (View on GitHub)
1title: Persistence Via Sudoers.d Files
2id: ddb26b76-4447-4807-871f-1b035b2bfa5d
3status: test
4description: |
5 Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
6 Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
7 Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
8references:
9 - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-07-05
12modified: 2026-03-18
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1548.003
17logsource:
18 product: linux
19 category: file_event
20detection:
21 selection:
22 TargetFilename|startswith: '/etc/sudoers.d/'
23 filter_main_dpkg:
24 Image|endswith: '/usr/bin/dpkg'
25 TargetFilename: '/etc/sudoers.d/README.dpkg-new'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Creation of legitimate files in sudoers.d folder as part of administrator work
29level: medium
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Key Pair Import Activity