T1548.003 Microsoft Sentinel · KQL

Detect Sudo and Sudo Caching in Microsoft Sentinel

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.003 Sudo and Sudo Caching
Canonical reference
https://attack.mitre.org/techniques/T1548/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1548.003 — Sudo and Sudo Caching abuse detection
// Requires Linux/macOS endpoints in Defender for Endpoint
// Part 1: Detect sudoers file modification
let SudoersModify = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sudoers") or FolderPath has "/etc/sudoers.d/"
| where ActionType in ("FileCreated", "FileModified")
| extend DetectionType = "Sudoers_File_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect sudo with NOPASSWD or ALL privilege grants
let SudoNOPASSWD = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sudo", "visudo")
| where ProcessCommandLine has_any ("NOPASSWD", "ALL=(ALL", "ALL:ALL",
                                    "!authenticate", "sudoedit")
| extend DetectionType = "Sudo_Privilege_Grant"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect sudo timestamp cache abuse
let SudoCacheAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sudo"
| where ProcessCommandLine has_any ("-n", "--non-interactive", "-S", "--stdin")
    and ProcessCommandLine !has "apt" and ProcessCommandLine !has "yum"
| extend DetectionType = "Sudo_Cache_NonInteractive"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 4: Detect unauthorized processes running as root via sudo
let SudoRootExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName =~ "root"
| where InitiatingProcessFileName =~ "sudo"
| where FileName in~ ("bash", "sh", "zsh", "python", "python3", "perl", "ruby")
| extend DetectionType = "Sudo_Shell_Escalation"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, DetectionType;
union SudoersModify, SudoNOPASSWD, SudoCacheAbuse, SudoRootExec
| sort by Timestamp desc
high severity medium confidence

Four-part sudo abuse detection. Part 1 monitors /etc/sudoers and /etc/sudoers.d/ for unauthorized modifications. Part 2 detects visudo or sudo commands with privilege-granting patterns (NOPASSWD, ALL). Part 3 catches sudo -n (non-interactive) commands that exploit cached credentials. Part 4 detects shells or interpreters spawned as root via sudo, indicating successful escalation.

Data Sources

Process: Process CreationFile: File ModificationMicrosoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • System administrators legitimately editing sudoers to grant specific users limited sudo access
  • Package managers (apt, yum) using sudo -n or similar patterns during automated updates
  • Ansible, Chef, Puppet automation using sudo for system configuration management
  • CI/CD pipelines that use sudo for build/deployment tasks with documented NOPASSWD grants
Download portable Sigma rule (.yml)

Other platforms for T1548.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current Sudo Privileges for Current User

    Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.

  2. Test 2Add NOPASSWD Sudo Entry via sudoers.d

    Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.

  3. Test 3Exploit Sudo Timestamp Cache

    Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1548.004Elevated Execution with PromptT1222.002Linux and Mac File and Directory Permissions ModificationT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections