This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-01-10
- Author: Teoderick Contreras, Splunk
- ID: 4479539c-71fc-11ec-b2e2-acde48001122
|T1548.003||Sudo and Sudo Caching||Privilege Escalation, Defense Evasion|
|T1548||Abuse Elevation Control Mechanism||Privilege Escalation, Defense Evasion|
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
Kill Chain Phase
- Privilege Escalation
Known False Positives
administrator or network operator can execute this command. Please update the filter macros to remove false positives.
|25.0||50||50||A commandline $process$ executed on $dest$|
source | version: 1