Cat Sudoers

Feb 1, 2023 · attack.reconnaissance attack.t1592.004 ·

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

Sigma rule (View on GitHub)

 1title: Cat Sudoers
 2id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
 3status: test
 4description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
 5references:
 6    - https://github.com/sleventyeleven/linuxprivchecker/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/06/20
 9modified: 2022/09/15
10tags:
11    - attack.reconnaissance
12    - attack.t1592.004
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith:
19            - '/cat'
20            - 'grep'
21            - '/head'
22            - '/tail'
23            - '/more'
24        CommandLine|contains: ' /etc/sudoers'
25    condition: selection
26falsepositives:
27    - Legitimate administration activities
28level: medium

References

GitHub - sleventyeleven/linuxprivchecker: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

linuxprivchecker.py -- a Linux Privilege Escalation Check Script - sleventyeleven/linuxprivchecker

Read More

Related rules

SSHD Error Message CVE-2018-15473

Cat Sudoers

Sigma rule (View on GitHub)

References

GitHub - sleventyeleven/linuxprivchecker: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

Related rules