[metadata]
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"

[rule]
author = ["Elastic"]
description = """
A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudoers File Modification"
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"