hunting/linux/docs/privilege_escalation_via_existing_sudoers.md

# Privilege Escalation Identification via Existing Sudoers File

---

## Metadata

- **Author:** Elastic
- **Description:** This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis.

- **UUID:** `6e57e6a6-f150-405d-b8be-e4e666a3a86d`
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
- **Language:** `[SQL]`
- **Source File:** [Privilege Escalation Identification via Existing Sudoers File](../queries/privilege_escalation_via_existing_sudoers.toml)

## Query

```sql
SELECT * FROM sudoers
```

## Notes

- Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.
- Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.
- Focuses on monitoring and analyzing administrative privileges granted through the sudoers file.

## MITRE ATT&CK Techniques

- [T1548.003](https://attack.mitre.org/techniques/T1548/003)

## License

- `Elastic License v2`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			`# Privilege Escalation Identification via Existing Sudoers File`

			`---`

			`## Metadata`

			`- Author: Elastic`
			`- Description: This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis.`

			- UUID: `6e57e6a6-f150-405d-b8be-e4e666a3a86d`
			`- Integration: [endpoint](https://docs.elastic.co/integrations/endpoint)`
			- Language: `[SQL]`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00			`- Source File: [Privilege Escalation Identification via Existing Sudoers File](../queries/privilege_escalation_via_existing_sudoers.toml)`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00
			`## Query`

			```sql
			`SELECT * FROM sudoers`
			```

			`## Notes`

			`- Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.`
			`- Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.`
			`- Focuses on monitoring and analyzing administrative privileges granted through the sudoers file.`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			`## MITRE ATT&CK Techniques`

			`- [T1548.003](https://attack.mitre.org/techniques/T1548/003)`

			`## License`

			- `Elastic License v2`