T1548.003 CrowdStrike LogScale · LogScale

Detect Sudo and Sudo Caching in CrowdStrike LogScale

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.003 Sudo and Sudo Caching
Canonical reference
https://attack.mitre.org/techniques/T1548/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1548.003 — Sudo and Sudo Caching Abuse Detection
// Branch 1: Sudoers file modification events
#event_simpleName=WriteFile
| TargetFileName=/\/etc\/sudoers(\.d\/.*)?$/
| eval DetectionType="Sudoers_File_Modified"
| table [@timestamp, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, DetectionType]

// Branch 2: NOPASSWD privilege grant via sudo or visudo
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName=/(sudo|visudo)$/
  | CommandLine=/(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit)/i
  | eval DetectionType="Sudo_NOPASSWD_Config"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

// Branch 3: Non-interactive sudo indicating cache abuse
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName=/\/sudo$/
  | CommandLine=/( -n | --non-interactive | -S | --stdin )/i
  | CommandLine!=/apt|yum|dnf|apt-get/i
  | eval DetectionType="Sudo_Cache_NonInteractive"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

// Branch 4: Shell spawned as root via sudo parent
| union [
  #event_simpleName=ProcessRollup2
  | ParentBaseFileName=/^sudo$/
  | ImageFileName=/(bash|sh|zsh|fish|python[23]?|perl|ruby)$/
  | UserName=root
  | eval DetectionType="Sudo_Shell_Escalation"
  | table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType]
]

| sort @timestamp desc
| groupBy([ComputerName, UserName, DetectionType], function=[count(as=EventCount), collect([CommandLine, ImageFileName], multival=true, limit=10)])
| sort EventCount desc
high severity high confidence

CrowdStrike LogScale (Falcon) CQL detection for T1548.003 sudo abuse across four branches: sudoers file write events (WriteFile targeting /etc/sudoers or /etc/sudoers.d/), sudo/visudo invocations with NOPASSWD or ALL privilege strings, non-interactive sudo execution with -n/--non-interactive/-S flags excluding package managers, and shell interpreter spawning as root with sudo as parent process. Results are grouped by host, user, and detection type with event counts for analyst triage.

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor)Falcon Insight XDRCrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2WriteFileSyntheticProcessRollup2

False Positives & Tuning

  • Linux package managers invoked by automated update services (apt-get, yum, dnf) using sudo non-interactively during scheduled maintenance windows — partially mitigated by the apt/yum exclusion filter but wrapper scripts may bypass this
  • Configuration management agents (Puppet agent, Chef client, SaltStack minion) running as root or via sudo that spawn bash or Python subprocesses for module execution and resource enforcement as part of their standard operating model
  • Security tooling such as vulnerability scanners, CSPM agents, or EDR sensors that require root access and are commonly invoked via sudo by service accounts — these generate both file events and privileged process events that match detection patterns
Download portable Sigma rule (.yml)

Other platforms for T1548.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current Sudo Privileges for Current User

    Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.

  2. Test 2Add NOPASSWD Sudo Entry via sudoers.d

    Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.

  3. Test 3Exploit Sudo Timestamp Cache

    Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1548.004Elevated Execution with PromptT1222.002Linux and Mac File and Directory Permissions ModificationT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections