Detectionmediumtest

Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 05Updated Sat Dec 31ddb26b76-4447-4807-871f-1b035b2bfa5dlinux

Log Source

LinuxFile Event

ProductLinux← raw: linux

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|startswith: '/etc/sudoers.d/'
    condition: selection

False Positives

Creation of legitimate files in sudoers.d folder part of administrator work

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

ddb26b76-4447-4807-871f-1b035b2bfa5d

Status

test

Level

medium

Type

Detection

Created

Tue Jul 05

Modified

Sat Dec 31

Author

Path

rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.003