Access of Sudoers File Content

calendar Jun 5, 2025 · attack.reconnaissance attack.t1592.004  ·
Share on: linkedin copy

Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.

Sigma rule (View on GitHub)

 1title: Access of Sudoers File Content
 2id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
 3status: test
 4description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
 5references:
 6    - https://github.com/sleventyeleven/linuxprivchecker/
 7author: Florian Roth (Nextron Systems)
 8date: 2022-06-20
 9modified: 2025-06-04
10tags:
11    - attack.reconnaissance
12    - attack.t1592.004
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith:
19            - '/cat'
20            - '/ed'
21            - '/egrep'
22            - '/emacs'
23            - '/fgrep'
24            - '/grep'
25            - '/head'
26            - '/less'
27            - '/more'
28            - '/nano'
29            - '/tail'
30        CommandLine|contains: ' /etc/sudoers'
31    condition: selection
32falsepositives:
33    - Legitimate administration activities
34level: medium

References

Related rules

to-top