[hunt]
author = "Elastic"
description = """
This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis.
"""
integration = ["endpoint"]
uuid = "6e57e6a6-f150-405d-b8be-e4e666a3a86d"
name = "Privilege Escalation Identification via Existing Sudoers File"
language = ["SQL"]
license = "Elastic License v2"
notes = [
    "Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.",
    "Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.",
    "Focuses on monitoring and analyzing administrative privileges granted through the sudoers file."
]
mitre = ["T1548.003"]

query = [
'''
SELECT * FROM sudoers
'''
]