Which SIEM platforms have a T1548.003 detection rule?

df00tech provides T1548.003 (Sudo and Sudo Caching) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Sudo and Sudo Caching (T1548.003)?

Detecting Sudo and Sudo Caching requires the following data sources: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint (Linux/macOS).

What severity and confidence is the T1548.003 detection?

The T1548.003 detection is rated high severity with medium confidence.

What are common false positives for T1548.003?

Common false positives for T1548.003 include: System administrators legitimately editing sudoers to grant specific users limited sudo access; Package managers (apt, yum) using sudo -n or similar patterns during automated updates; Ansible, Chef, Puppet automation using sudo for system configuration management.

T1548.003 Google Chronicle · YARA-L

Detect Sudo and Sudo Caching in Google Chronicle

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic: Privilege Escalation Defense Evasion
Technique: T1548 Abuse Elevation Control Mechanism
Sub-technique: T1548.003 Sudo and Sudo Caching
Canonical reference: https://attack.mitre.org/techniques/T1548/003/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule sudo_caching_abuse_t1548_003 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects sudo and sudo caching abuse including sudoers modification, NOPASSWD grants, non-interactive cache abuse, and shell escalation via sudo on Linux/macOS endpoints"
    mitre_attack_technique = "T1548.003"
    mitre_attack_tactic = "Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-21"
    version = "1.0"

  events:
    (
      // Branch 1: Sudoers file modification
      (
        $e.metadata.event_type = "FILE_MODIFICATION" or
        $e.metadata.event_type = "FILE_CREATION"
      ) and
      (
        $e.target.file.full_path = "/etc/sudoers" or
        re.regex($e.target.file.full_path, `/etc/sudoers\.d/.*`)
      )
    ) or
    (
      // Branch 2: NOPASSWD/ALL privilege grants via sudo or visudo
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.principal.process.file.full_path = "/usr/bin/sudo" or
        $e.principal.process.file.full_path = "/bin/sudo" or
        $e.principal.process.file.full_path = "/usr/sbin/visudo"
      ) and
      (
        re.regex($e.target.process.command_line, `(?i)(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit)`)
      )
    ) or
    (
      // Branch 3: Non-interactive sudo cache abuse
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.target.process.file.full_path = "/usr/bin/sudo" or
        $e.target.process.file.full_path = "/bin/sudo"
      ) and
      re.regex($e.target.process.command_line, `(?i)(\s-n\s|--non-interactive|-S\s|--stdin)`) and
      not re.regex($e.target.process.command_line, `(?i)(apt|yum|dnf|apt-get|brew)`)
    ) or
    (
      // Branch 4: Shell escalation — interpreter running as root via sudo parent
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      $e.principal.user.userid = "root" and
      (
        $e.principal.process.file.full_path = "/usr/bin/sudo" or
        $e.principal.process.file.full_path = "/bin/sudo"
      ) and
      re.regex($e.target.process.file.full_path, `(?i)/(bash|sh|zsh|fish|python[23]?|perl|ruby|lua)$`)
    )

  condition:
    $e
}

high severity high confidence

Chronicle YARA-L 2.0 rule detecting four distinct sudo abuse patterns on Linux/macOS endpoints: (1) direct modification of /etc/sudoers or drop-in files under /etc/sudoers.d/, (2) sudo or visudo invocations containing NOPASSWD or ALL privilege escalation strings, (3) non-interactive sudo execution with -n/--non-interactive/-S flags indicating timestamp cache probing (excluding package managers), and (4) shell interpreters (bash, python, perl, etc.) spawned as root with sudo as the initiating process.

Data Sources

Chronicle UDM (Endpoint)Google Chronicle Forwarder (Linux)osquery via ChronicleAuditd via Chronicle Universal Forwarder

Required Tables

UDM Events (process, file)process_launchfile_modificationfile_creation

False Positives & Tuning

Infrastructure-as-code tooling (Ansible playbooks, Terraform provisioners, cloud-init scripts) that modify sudoers.d/ files during instance bootstrapping and provisioning, particularly in auto-scaling environments where this occurs frequently
Sudo-based privilege separation patterns used by web servers or application servers (e.g., Apache suEXEC, Django management commands) that routinely invoke Python or Perl scripts as root via sudo for specific operations
Administrative scripts run by SREs or sysadmins using sudo -n to check for cached credentials before attempting operations that require elevation — common in automation scripts that prefer non-interactive operation when a valid sudo session exists

Download portable Sigma rule (.yml)

Other platforms for T1548.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1List Current Sudo Privileges for Current User
Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.
Test 2Add NOPASSWD Sudo Entry via sudoers.d
Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.
Test 3Exploit Sudo Timestamp Cache
Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Sudo and Sudo Caching in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1548.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1548.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox