title: Sudo Caching
id: 67150558-c02a-457f-8dee-99b2201c0877
description: Detects sudo caching attempt
references:
    - https://attack.mitre.org/techniques/T1206/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1206/T1206.md
author: Ömer Günal
date: 2020/06/16
tags:
    - attack.privilege_escalation
    - attack.t1206
level: medium
logsource:
    product: linux
detection:
    keywords:
        - 'sudo sh -c "echo Defaults *tty_tickets >> /etc/sudoers"'
        - 'sudo visudo -c -f /etc/sudoers'
    condition: keywords 
falsepositives:
    - Unknown