Detectionmediumtest
Persistence Via Sudoers.d Files
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems. Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 05Updated Wed Mar 18ddb26b76-4447-4807-871f-1b035b2bfa5dlinux
Log Source
LinuxFile Event
ProductLinux← raw: linux
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetFilename|startswith: '/etc/sudoers.d/'
filter_main_dpkg:
Image|endswith: '/usr/bin/dpkg'
TargetFilename: '/etc/sudoers.d/README.dpkg-new'
condition: selection and not 1 of filter_main_*False Positives
Creation of legitimate files in sudoers.d folder as part of administrator work
References
MITRE ATT&CK
Rule Metadata
Rule ID
ddb26b76-4447-4807-871f-1b035b2bfa5d
Status
test
Level
medium
Type
Detection
Created
Tue Jul 05
Modified
Wed Mar 18
Path
rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1548.003