Detect Sudo and Sudo Caching in IBM QRadar
Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.003 Sudo and Sudo Caching
- Canonical reference
- https://attack.mitre.org/techniques/T1548/003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
hostname,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS event_category,
LOGSOURCETYPENAME(devicetype) AS log_source_type,
"Message",
CASE
WHEN "Message" IMATCHES '(?i).*path.*/etc/sudoers.*' AND
"Message" IMATCHES '(?i).*(write|open|truncate|creat).*'
THEN 'Sudoers_File_Modified'
WHEN "Message" IMATCHES '(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*' AND
"Message" IMATCHES '(?i).*(sudoers|visudo).*'
THEN 'Sudo_NOPASSWD_Config'
WHEN "Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND
"Message" IMATCHES '(?i).*(bash|/bin/sh|python|perl|ruby|/bin/\*).*' AND
username = 'root'
THEN 'Sudo_Shell_Escalation'
WHEN "Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*' AND
NOT ("Message" IMATCHES '(?i).*(apt|yum|dnf|apt-get).*')
THEN 'Sudo_Cache_NonInteractive'
WHEN "Message" IMATCHES '(?i).*sudo.*authentication failure.*' AND
"Message" IMATCHES '(?i).*(-n|--non-interactive).*'
THEN 'Sudo_Failed_Cache_Check'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
AND starttime > NOW() - 86400000
AND (
"Message" IMATCHES '(?i).*path.*/etc/sudoers.*'
OR "Message" IMATCHES '(?i).*(NOPASSWD|sudoedit|visudo).*'
OR ("Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND username = 'root')
OR ("Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*'
AND NOT "Message" IMATCHES '(?i).*(apt|yum|dnf).*')
OR ("Message" IMATCHES '(?i).*sudo.*authentication failure.*'
AND "Message" IMATCHES '(?i).*(-n|--non-interactive).*')
)
AND CASE
WHEN "Message" IMATCHES '(?i).*path.*/etc/sudoers.*' AND
"Message" IMATCHES '(?i).*(write|open|truncate|creat).*'
THEN 'Sudoers_File_Modified'
WHEN "Message" IMATCHES '(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*' AND
"Message" IMATCHES '(?i).*(sudoers|visudo).*'
THEN 'Sudo_NOPASSWD_Config'
WHEN "Message" IMATCHES '(?i).*sudo.*COMMAND.*' AND
"Message" IMATCHES '(?i).*(bash|/bin/sh|python|perl|ruby|/bin/\*).*' AND
username = 'root'
THEN 'Sudo_Shell_Escalation'
WHEN "Message" IMATCHES '(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*' AND
NOT ("Message" IMATCHES '(?i).*(apt|yum|dnf|apt-get).*')
THEN 'Sudo_Cache_NonInteractive'
WHEN "Message" IMATCHES '(?i).*sudo.*authentication failure.*' AND
"Message" IMATCHES '(?i).*(-n|--non-interactive).*'
THEN 'Sudo_Failed_Cache_Check'
ELSE 'Unknown'
END != 'Unknown'
ORDER BY starttime DESC
LIMIT 1000QRadar AQL query detecting sudo and sudo caching abuse across Linux endpoints via syslog and auditd log sources. Classifies events into five detection types: sudoers file writes (auditd syscall path events), NOPASSWD/sudoedit configuration changes, shell escalation (root commands via sudo), non-interactive cache abuse (-n/--non-interactive flags), and failed cache authentication checks. Filters are applied to exclude legitimate package manager invocations.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using visudo to manage access controls during routine change windows — the NOPASSWD configuration pattern will trigger on any legitimate sudoers edit containing these keywords
- Ansible, Puppet, Chef, or SaltStack configuration management agents that routinely modify sudoers.d/ drop-ins to grant service accounts appropriate privilege and run commands non-interactively
- DevOps pipelines that use sudo -n to verify privilege availability before attempting privileged operations, generating non-interactive sudo authentication attempts that appear identical to cache probing
Other platforms for T1548.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Current Sudo Privileges for Current User
Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.
- Test 2Add NOPASSWD Sudo Entry via sudoers.d
Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.
- Test 3Exploit Sudo Timestamp Cache
Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.
Unlock Pro Content
Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.