sigma-rules/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml

[metadata]
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"

[rule]
author = ["Elastic"]
description = """
A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudoers File Modification"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Linux",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and 
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"



[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"