T1548.003

Sudo and Sudo Caching

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

Microsoft Sentinel / Defender

kusto

// T1548.003 — Sudo and Sudo Caching abuse detection
// Requires Linux/macOS endpoints in Defender for Endpoint
// Part 1: Detect sudoers file modification
let SudoersModify = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sudoers") or FolderPath has "/etc/sudoers.d/"
| where ActionType in ("FileCreated", "FileModified")
| extend DetectionType = "Sudoers_File_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect sudo with NOPASSWD or ALL privilege grants
let SudoNOPASSWD = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sudo", "visudo")
| where ProcessCommandLine has_any ("NOPASSWD", "ALL=(ALL", "ALL:ALL",
                                    "!authenticate", "sudoedit")
| extend DetectionType = "Sudo_Privilege_Grant"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect sudo timestamp cache abuse
let SudoCacheAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sudo"
| where ProcessCommandLine has_any ("-n", "--non-interactive", "-S", "--stdin")
    and ProcessCommandLine !has "apt" and ProcessCommandLine !has "yum"
| extend DetectionType = "Sudo_Cache_NonInteractive"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 4: Detect unauthorized processes running as root via sudo
let SudoRootExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName =~ "root"
| where InitiatingProcessFileName =~ "sudo"
| where FileName in~ ("bash", "sh", "zsh", "python", "python3", "perl", "ruby")
| extend DetectionType = "Sudo_Shell_Escalation"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
union SudoersModify, SudoNOPASSWD, SudoCacheAbuse, SudoRootExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

System administrators legitimately editing sudoers to grant specific users limited sudo access
Package managers (apt, yum) using sudo -n or similar patterns during automated updates
Ansible, Chef, Puppet automation using sudo for system configuration management
CI/CD pipelines that use sudo for build/deployment tasks with documented NOPASSWD grants

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   (file.path : "/etc/sudoers" or file.path : "/etc/sudoers.d/*")]
  [process where event.type == "start" and
   process.name in ("bash", "sh", "zsh", "python", "python3", "perl", "ruby") and
   user.name == "root" and process.parent.name == "sudo"]
---
OR standalone detections:

sequence by host.name with maxspan=1m
  [process where event.type == "start" and
   process.name == "sudo" and
   process.args : ("-n", "--non-interactive", "-S", "--stdin") and
   not process.args : ("apt*", "yum*", "dnf*", "apt-get*")]
  [process where event.type == "start" and
   process.parent.name == "sudo" and user.name == "root" and
   process.name in ("bash", "sh", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat")]

OR

process where event.type == "start" and
  process.name in ("sudo", "visudo") and
  process.args : ("NOPASSWD*", "ALL=(ALL*", "ALL:ALL*", "!authenticate", "sudoedit") or
  (
    process.name == "sudo" and
    process.args : ("-n", "--non-interactive", "-S", "--stdin") and
    not process.command_line : ("* apt *", "* yum *", "* dnf *", "* apt-get *")
  )

OR

file where event.action in ("creation", "overwrite", "rename") and
  (file.path == "/etc/sudoers" or file.path : "/etc/sudoers.d/*")

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (auditd module) Elastic Agent (System integration)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* auditbeat-* filebeat-*

False Positives

System administrators legitimately modifying /etc/sudoers via visudo during routine access control changes or onboarding new users
Automated configuration management tools (Ansible, Chef, Puppet, SaltStack) that modify sudoers files and run privileged commands non-interactively via sudo -n as part of their normal operation
CI/CD pipelines and build agents that use non-interactive sudo to perform deployment steps, package installation, or system configuration without human interaction
Package managers (apt, yum, dnf) invoking sudo non-interactively for automated updates and installations — these are excluded by the apt/yum filter but similar tools may trigger false positives

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  "Message",
  CASE
    WHEN "Message" IMATCHES '(?i).*path.*/etc/sudoers.*' AND
         "Message" IMATCHES '(?i).*(write|open|truncate|creat).*'
         THEN 'Sudoers_File_Modified'
    WHEN "Message" IMATCHES '(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*' AND
         "Message" IMATCHES '(?i).*(sudoers|visudo).*'
         THEN 'Sudo_NOPASSWD_Config'
    WHEN "Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND
         "Message" IMATCHES '(?i).*(bash|/bin/sh|python|perl|ruby|/bin/\*).*' AND
         username = 'root'
         THEN 'Sudo_Shell_Escalation'
    WHEN "Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*' AND
         NOT ("Message" IMATCHES '(?i).*(apt|yum|dnf|apt-get).*')
         THEN 'Sudo_Cache_NonInteractive'
    WHEN "Message" IMATCHES '(?i).*sudo.*authentication failure.*' AND
         "Message" IMATCHES '(?i).*(-n|--non-interactive).*'
         THEN 'Sudo_Failed_Cache_Check'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
  AND starttime > NOW() - 86400000
  AND (
    "Message" IMATCHES '(?i).*path.*/etc/sudoers.*'
    OR "Message" IMATCHES '(?i).*(NOPASSWD|sudoedit|visudo).*'
    OR ("Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND username = 'root')
    OR ("Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*'
        AND NOT "Message" IMATCHES '(?i).*(apt|yum|dnf).*')
    OR ("Message" IMATCHES '(?i).*sudo.*authentication failure.*'
        AND "Message" IMATCHES '(?i).*(-n|--non-interactive).*')
  )
  AND CASE
    WHEN "Message" IMATCHES '(?i).*path.*/etc/sudoers.*' AND
         "Message" IMATCHES '(?i).*(write|open|truncate|creat).*'
         THEN 'Sudoers_File_Modified'
    WHEN "Message" IMATCHES '(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*' AND
         "Message" IMATCHES '(?i).*(sudoers|visudo).*'
         THEN 'Sudo_NOPASSWD_Config'
    WHEN "Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND
         "Message" IMATCHES '(?i).*(bash|/bin/sh|python|perl|ruby|/bin/\*).*' AND
         username = 'root'
         THEN 'Sudo_Shell_Escalation'
    WHEN "Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*' AND
         NOT ("Message" IMATCHES '(?i).*(apt|yum|dnf|apt-get).*')
         THEN 'Sudo_Cache_NonInteractive'
    WHEN "Message" IMATCHES '(?i).*sudo.*authentication failure.*' AND
         "Message" IMATCHES '(?i).*(-n|--non-interactive).*'
         THEN 'Sudo_Failed_Cache_Check'
    ELSE 'Unknown'
  END != 'Unknown'
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Linux syslog (auth/secure) Auditd via Universal DSM Linux OS log source

Required Tables

events

False Positives

System administrators using visudo to manage access controls during routine change windows — the NOPASSWD configuration pattern will trigger on any legitimate sudoers edit containing these keywords
Ansible, Puppet, Chef, or SaltStack configuration management agents that routinely modify sudoers.d/ drop-ins to grant service accounts appropriate privilege and run commands non-interactively
DevOps pipelines that use sudo -n to verify privilege availability before attempting privileged operations, generating non-interactive sudo authentication attempts that appear identical to cache probing

Sumo Logic CSE

sql

(_sourceCategory="linux/secure" OR _sourceCategory="linux/syslog" OR _sourceCategory="linux/auditd" OR _sourceCategory="os/linux")
| where _raw matches /(?i)(sudo|sudoers|visudo)/
| parse regex field=_raw "(?P<sudo_user>[a-zA-Z0-9_\-\.]+)\s*:\s*TTY" nodrop
| parse regex field=_raw "COMMAND=(?P<sudo_command>[^\n]+)" nodrop
| parse regex field=_raw "user=(?P<exec_user>[a-zA-Z0-9_\-\.]+)" nodrop
| parse regex field=_raw "hostname=(?P<src_host>[a-zA-Z0-9_\-\.]+)" nodrop
| eval detection_type = if(
    _raw matches /(?i).*path.*\/etc\/sudoers.*/
    AND _raw matches /(?i).*(write|open|truncate|creat).*/,
    "Sudoers_File_Auditd_Write",
  if(
    _raw matches /(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*/
    AND _raw matches /(?i).*(sudoers|visudo).*/,
    "Sudo_NOPASSWD_Config",
  if(
    _raw matches /(?i).*sudo.*COMMAND.*/
    AND _raw matches /(?i).*(bash|sh|python|python3|perl|ruby|\/bin\/).*/
    AND _raw matches /(?i).*user=root.*/,
    "Sudo_Shell_Escalation",
  if(
    _raw matches /(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*/
    AND NOT (_raw matches /(?i).*(apt|yum|dnf|apt-get).*/),
    "Sudo_Cache_NonInteractive",
  if(
    _raw matches /(?i).*sudo.*authentication failure.*(-n|--non-interactive).*/,
    "Sudo_Failed_Cache_Check",
    null
  )))))
| where !isNull(detection_type)
| fields _messageTime, _sourceHost, sudo_user, exec_user, sudo_command, detection_type, _raw
| sort by _messageTime desc

high severity high confidence

Data Sources

Linux /var/log/secure (auth) Linux /var/log/syslog Linux auditd via Sumo Installed Collector Sumo Logic CSE Normalized Events

Required Tables

_sourceCategory=linux/secure _sourceCategory=linux/syslog _sourceCategory=linux/auditd

False Positives

Automated patching systems (unattended-upgrades, yum-cron) that write sudoers.d/ drop-in files as part of package installation and post-install scripts
Container orchestration tooling (Docker, Kubernetes node agents, containerd shims) that invoke sudo non-interactively for namespace manipulation and cgroup management
Legitimate developer workflows on shared build servers where developers commonly sudo to a build user account using cached credentials, generating root shell escalation events that match the detection pattern

Google Chronicle / SecOps

yaral

rule sudo_caching_abuse_t1548_003 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects sudo and sudo caching abuse including sudoers modification, NOPASSWD grants, non-interactive cache abuse, and shell escalation via sudo on Linux/macOS endpoints"
    mitre_attack_technique = "T1548.003"
    mitre_attack_tactic = "Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-21"
    version = "1.0"

  events:
    (
      // Branch 1: Sudoers file modification
      (
        $e.metadata.event_type = "FILE_MODIFICATION" or
        $e.metadata.event_type = "FILE_CREATION"
      ) and
      (
        $e.target.file.full_path = "/etc/sudoers" or
        re.regex($e.target.file.full_path, `/etc/sudoers\.d/.*`)
      )
    ) or
    (
      // Branch 2: NOPASSWD/ALL privilege grants via sudo or visudo
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.principal.process.file.full_path = "/usr/bin/sudo" or
        $e.principal.process.file.full_path = "/bin/sudo" or
        $e.principal.process.file.full_path = "/usr/sbin/visudo"
      ) and
      (
        re.regex($e.target.process.command_line, `(?i)(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit)`)
      )
    ) or
    (
      // Branch 3: Non-interactive sudo cache abuse
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.target.process.file.full_path = "/usr/bin/sudo" or
        $e.target.process.file.full_path = "/bin/sudo"
      ) and
      re.regex($e.target.process.command_line, `(?i)(\s-n\s|--non-interactive|-S\s|--stdin)`) and
      not re.regex($e.target.process.command_line, `(?i)(apt|yum|dnf|apt-get|brew)`)
    ) or
    (
      // Branch 4: Shell escalation — interpreter running as root via sudo parent
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      $e.principal.user.userid = "root" and
      (
        $e.principal.process.file.full_path = "/usr/bin/sudo" or
        $e.principal.process.file.full_path = "/bin/sudo"
      ) and
      re.regex($e.target.process.file.full_path, `(?i)/(bash|sh|zsh|fish|python[23]?|perl|ruby|lua)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Endpoint) Google Chronicle Forwarder (Linux) osquery via Chronicle Auditd via Chronicle Universal Forwarder

Required Tables

UDM Events (process, file) process_launch file_modification file_creation

False Positives

Infrastructure-as-code tooling (Ansible playbooks, Terraform provisioners, cloud-init scripts) that modify sudoers.d/ files during instance bootstrapping and provisioning, particularly in auto-scaling environments where this occurs frequently
Sudo-based privilege separation patterns used by web servers or application servers (e.g., Apache suEXEC, Django management commands) that routinely invoke Python or Perl scripts as root via sudo for specific operations
Administrative scripts run by SREs or sysadmins using sudo -n to check for cached credentials before attempting operations that require elevation — common in automation scripts that prefer non-interactive operation when a valid sudo session exists

CrowdStrike LogScale (CQL)

cql

// T1548.003 — Sudo and Sudo Caching Abuse Detection
// Branch 1: Sudoers file modification events
#event_simpleName=WriteFile
| TargetFileName=/\/etc\/sudoers(\.d\/.*)?$/
| eval DetectionType="Sudoers_File_Modified"
| table [@timestamp, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, DetectionType]

// Branch 2: NOPASSWD privilege grant via sudo or visudo
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName=/(sudo|visudo)$/
  | CommandLine=/(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit)/i
  | eval DetectionType="Sudo_NOPASSWD_Config"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

// Branch 3: Non-interactive sudo indicating cache abuse
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName=/\/sudo$/
  | CommandLine=/( -n | --non-interactive | -S | --stdin )/i
  | CommandLine!=/apt|yum|dnf|apt-get/i
  | eval DetectionType="Sudo_Cache_NonInteractive"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

// Branch 4: Shell spawned as root via sudo parent
| union [
  #event_simpleName=ProcessRollup2
  | ParentBaseFileName=/^sudo$/
  | ImageFileName=/(bash|sh|zsh|fish|python[23]?|perl|ruby)$/
  | UserName=root
  | eval DetectionType="Sudo_Shell_Escalation"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

| sort @timestamp desc
| groupBy([ComputerName, UserName, DetectionType], function=[count(as=EventCount), collect([CommandLine, ImageFileName], multival=true, limit=10)])
| sort EventCount desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor) Falcon Insight XDR CrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2 WriteFile SyntheticProcessRollup2

False Positives

Linux package managers invoked by automated update services (apt-get, yum, dnf) using sudo non-interactively during scheduled maintenance windows — partially mitigated by the apt/yum exclusion filter but wrapper scripts may bypass this
Configuration management agents (Puppet agent, Chef client, SaltStack minion) running as root or via sudo that spawn bash or Python subprocesses for module execution and resource enforcement as part of their standard operating model
Security tooling such as vulnerability scanners, CSPM agents, or EDR sensors that require root access and are commonly invoked via sudo by service accounts — these generate both file events and privileged process events that match detection patterns

Last updated: 2026-04-21 Research depth: deep

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and Setgid T1548.002Bypass User Account Control T1548.004Elevated Execution with Prompt T1548.005Temporary Elevated Cloud Access T1548.006TCC Manipulation

Sudo and Sudo Caching

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections