[metadata]
creation_date = "2020/04/13"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/04/13"

[rule]
author = ["Elastic"]
description = """
A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
"""
index = ["auditbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Sudoers File Modification"
risk_score = 21
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "low"
tags = ["Elastic", "Linux"]
type = "query"

query = '''
event.module:file_integrity and event.action:updated and file.path:/etc/sudoers
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1169"
name = "Sudo"
reference = "https://attack.mitre.org/techniques/T1169/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"