Sudoers File Modification

Elastic Stack Serverless Security

A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.

Rule type: query

Rule indices:

• auditbeat-*
• logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

• Elastic
• Host
• Linux
• macOS
• Threat Detection
• Privilege Escalation

Version: 101

Rule authors:

• Elastic

Rule license: Elastic License v2

event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Privilege Escalation
  • ID: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Abuse Elevation Control Mechanism
  • ID: T1548
  • Reference URL: https://attack.mitre.org/techniques/T1548/

• Sub-technique:

  • Name: Sudo and Sudo Caching
  • ID: T1548.003
  • Reference URL: https://attack.mitre.org/techniques/T1548/003/