T1548.003 Elastic Security · Elastic

Detect Sudo and Sudo Caching in Elastic Security

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.003 Sudo and Sudo Caching
Canonical reference
https://attack.mitre.org/techniques/T1548/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   (file.path : "/etc/sudoers" or file.path : "/etc/sudoers.d/*")]
  [process where event.type == "start" and
   process.name in ("bash", "sh", "zsh", "python", "python3", "perl", "ruby") and
   user.name == "root" and process.parent.name == "sudo"]
---
OR standalone detections:

sequence by host.name with maxspan=1m
  [process where event.type == "start" and
   process.name == "sudo" and
   process.args : ("-n", "--non-interactive", "-S", "--stdin") and
   not process.args : ("apt*", "yum*", "dnf*", "apt-get*")]
  [process where event.type == "start" and
   process.parent.name == "sudo" and user.name == "root" and
   process.name in ("bash", "sh", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat")]

OR

process where event.type == "start" and
  process.name in ("sudo", "visudo") and
  process.args : ("NOPASSWD*", "ALL=(ALL*", "ALL:ALL*", "!authenticate", "sudoedit") or
  (
    process.name == "sudo" and
    process.args : ("-n", "--non-interactive", "-S", "--stdin") and
    not process.command_line : ("* apt *", "* yum *", "* dnf *", "* apt-get *")
  )

OR

file where event.action in ("creation", "overwrite", "rename") and
  (file.path == "/etc/sudoers" or file.path : "/etc/sudoers.d/*")
high severity high confidence

Detects sudo and sudo caching abuse on Linux/macOS endpoints using Elastic EQL. Covers four detection branches: (1) sudoers file modification via file events, (2) sudo invocations with NOPASSWD/ALL privilege grants, (3) non-interactive sudo execution indicating timestamp cache abuse, and (4) shell escalation where bash/python/etc. spawn as root via sudo. Sequences correlate related events within 5-minute windows to reduce noise.

Data Sources

Elastic Endpoint SecurityAuditbeatFilebeat (auditd module)Elastic Agent (System integration)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*auditbeat-*filebeat-*

False Positives & Tuning

  • System administrators legitimately modifying /etc/sudoers via visudo during routine access control changes or onboarding new users
  • Automated configuration management tools (Ansible, Chef, Puppet, SaltStack) that modify sudoers files and run privileged commands non-interactively via sudo -n as part of their normal operation
  • CI/CD pipelines and build agents that use non-interactive sudo to perform deployment steps, package installation, or system configuration without human interaction
  • Package managers (apt, yum, dnf) invoking sudo non-interactively for automated updates and installations — these are excluded by the apt/yum filter but similar tools may trigger false positives
Download portable Sigma rule (.yml)

Other platforms for T1548.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current Sudo Privileges for Current User

    Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.

  2. Test 2Add NOPASSWD Sudo Entry via sudoers.d

    Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.

  3. Test 3Exploit Sudo Timestamp Cache

    Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1548.004Elevated Execution with PromptT1222.002Linux and Mac File and Directory Permissions ModificationT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections