Adversaries may modify sudoers files to gain persistent elevated privileges, allowing them to execute commands without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and escalate privileges within the environment.
Detection Rule
title: Persistence Via Sudoers Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|startswith: '/etc/sudoers.d/'
condition: selection
falsepositives:
- Creation of legitimate files in sudoers.d folder part of administrator work
level: medium
imFileEvent
| where TargetFileName startswith "/etc/sudoers.d/"Scenario: System administrator creates a new sudoers file for configuration management
Filter/Exclusion: Check for sudoers.d directory or files with .d suffix, or files created by known configuration management tools like Ansible or Puppet.
Scenario: Scheduled job uses sudo to run maintenance scripts
Filter/Exclusion: Filter by process names like cron, systemd-timedated, or scripts known to be part of scheduled maintenance tasks.
Scenario: Admin manually edits /etc/sudoers to grant temporary elevated permissions
Filter/Exclusion: Look for timestamps or user activity around known admin work hours, or filter by users with admin privileges (e.g., root, admin, sudo).
Scenario: Security tool or SIEM configuration uses sudo for logging or monitoring purposes
Filter/Exclusion: Exclude processes related to security tools like ossec, splunk, or logrotate that use sudo for logging or auditing.
Scenario: Automated backup or restore process uses sudo to access protected directories
Filter/Exclusion: Filter by process names like rsync, tar, or backup scripts, or check for known backup directories like /var/backups.