Cat Sudoers
Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
Sigma rule (View on GitHub)
1title: Cat Sudoers
2id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
3status: test
4description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
5references:
6 - https://github.com/sleventyeleven/linuxprivchecker/
7author: Florian Roth (Nextron Systems)
8date: 2022-06-20
9modified: 2022-09-15
10tags:
11 - attack.reconnaissance
12 - attack.t1592.004
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|endswith:
19 - '/cat'
20 - 'grep'
21 - '/head'
22 - '/tail'
23 - '/more'
24 CommandLine|contains: ' /etc/sudoers'
25 condition: selection
26falsepositives:
27 - Legitimate administration activities
28level: medium
References
-
linuxprivchecker.py -- a Linux Privilege Escalation Check Script - sleventyeleven/linuxprivchecker
Read More
Related rules
- Linux Recon Indicators
- Print History File Contents
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked