Adversaries may attempt to access the /etc/sudoers file to identify users with sudo privileges, which could aid in privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential privilege discovery and limit the impact of advanced persistent threats.
Detection Rule
title: Access of Sudoers File Content
id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
status: test
description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
references:
- https://github.com/sleventyeleven/linuxprivchecker/
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2025-06-04
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/ed'
- '/egrep'
- '/emacs'
- '/fgrep'
- '/grep'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
CommandLine|contains: ' /etc/sudoers'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where (TargetProcessName endswith "/cat" or TargetProcessName endswith "/ed" or TargetProcessName endswith "/egrep" or TargetProcessName endswith "/emacs" or TargetProcessName endswith "/fgrep" or TargetProcessName endswith "/grep" or TargetProcessName endswith "/head" or TargetProcessName endswith "/less" or TargetProcessName endswith "/more" or TargetProcessName endswith "/nano" or TargetProcessName endswith "/tail") and TargetProcessCommandLine contains " /etc/sudoers"Scenario: System Administrator Reviewing /etc/sudoers for Compliance
Description: An admin is manually checking the sudoers file during an audit or compliance check.
Filter/Exclusion: Exclude processes initiated by users with sudo privileges or filter by specific admin accounts (e.g., root, admin, audit_user).
Scenario: Automated Compliance Tool Scanning for Sudoers File
Description: A security tool or configuration management system (e.g., Ansible, Puppet) is scanning or validating the sudoers file as part of a configuration audit.
Filter/Exclusion: Exclude processes with known compliance tools or filter by process names like ansible, puppet, or auditd.
Scenario: Scheduled Job to Backup /etc/sudoers
Description: A cron job or scheduled task is configured to back up the sudoers file as part of a regular backup process.
Filter/Exclusion: Exclude processes with cron or systemd-timedate in the command line, or filter by specific backup scripts (e.g., backup_sudoers.sh).
Scenario: User Viewing Sudoers File via less or cat for Troubleshooting
Description: A user is viewing the sudoers file using less or cat to troubleshoot permission issues or verify their own sudo access.
Filter/Exclusion: Exclude commands executed by users with known troubleshooting roles (e.g., support, devops) or filter by specific commands like cat /etc/sudoers or less /etc/sudoers.
Scenario: Log Analysis Tool Reading Sudoers File for Pattern Matching
Description: A log analysis or SIEM tool (e.g., ELK, Splunk) is reading the sudoers file to analyze sudo command patterns