Which SIEM platforms have a T1548.003 detection rule?

df00tech provides T1548.003 (Sudo and Sudo Caching) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Sudo and Sudo Caching (T1548.003)?

Detecting Sudo and Sudo Caching requires the following data sources: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint (Linux/macOS).

What severity and confidence is the T1548.003 detection?

The T1548.003 detection is rated high severity with medium confidence.

What are common false positives for T1548.003?

Common false positives for T1548.003 include: System administrators legitimately editing sudoers to grant specific users limited sudo access; Package managers (apt, yum) using sudo -n or similar patterns during automated updates; Ansible, Chef, Puppet automation using sudo for system configuration management.

T1548.003 Splunk · SPL

Detect Sudo and Sudo Caching in Splunk

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic: Privilege Escalation Defense Evasion
Technique: T1548 Abuse Elevation Control Mechanism
Sub-technique: T1548.003 Sudo and Sudo Caching
Canonical reference: https://attack.mitre.org/techniques/T1548/003/

SPL Detection Query

Splunk (SPL)

spl

index=linux_logs (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval detection_type=case(
    sourcetype="auditd" AND match(_raw, "(?i)path.*(/etc/sudoers)") AND
      match(_raw, "(?i)(write|open|truncate)"),
      "Sudoers_File_Auditd_Write",
    sourcetype="linux_secure" AND match(_raw, "(?i)(sudo|su).*COMMAND") AND
      match(_raw, "(?i)(bash|sh|python|perl|ruby|/bin/\\*|ALL)"),
      "Sudo_Shell_Command",
    sourcetype="linux_secure" AND match(_raw, "(?i)sudo.*authentication failure") AND
      match(_raw, "(?i)(-n|--non-interactive)"),
      "Sudo_Failed_Cache_Check",
    sourcetype="syslog" AND match(_raw, "(?i)NOPASSWD") AND
      match(_raw, "(?i)(sudoers|visudo)"),
      "Sudo_NOPASSWD_Config",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, user, detection_type, _raw
| sort - _time

high severity medium confidence

Detects sudo abuse via Linux security logs. Auditd file write events on /etc/sudoers indicate unauthorized modification. Linux secure log sudo commands running shells (bash, sh, python) are escalation indicators. sudo -n authentication failures indicate cache probing. NOPASSWD strings in syslog/sudoers context indicate privilege grant.

Data Sources

Process: Process CreationLinux AuditdLinux Secure Log

Required Sourcetypes

linux_securesyslogauditd

False Positives & Tuning

Package manager sudo automation with -n flag
Authorized administrative sudoers modifications
Configuration management tool sudo usage

Download portable Sigma rule (.yml)

Other platforms for T1548.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1List Current Sudo Privileges for Current User
Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.
Test 2Add NOPASSWD Sudo Entry via sudoers.d
Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.
Test 3Exploit Sudo Timestamp Cache
Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Sudo and Sudo Caching in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox