This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-12-21
- Author: Teoderick Contreras, Splunk
- ID: 08c41040-624c-11ec-a71f-acde48001122
|T1548.003||Sudo and Sudo Caching||Privilege Escalation, Defense Evasion|
|T1548||Abuse Elevation Control Mechanism||Privilege Escalation, Defense Evasion|
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`
Associated Analytic Story
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
Kill Chain Phase
- Privilege Escalation
Known False Positives
Administrator or network operator can execute this command. Please update the filter macros to remove false positives.
|16.0||40||40||A commandline $process$ executed on $dest$|
source | version: 1