T1548.003 Sumo Logic CSE · Sumo

Detect Sudo and Sudo Caching in Sumo Logic CSE

Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.003 Sudo and Sudo Caching
Canonical reference
https://attack.mitre.org/techniques/T1548/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="linux/secure" OR _sourceCategory="linux/syslog" OR _sourceCategory="linux/auditd" OR _sourceCategory="os/linux")
| where _raw matches /(?i)(sudo|sudoers|visudo)/
| parse regex field=_raw "(?P<sudo_user>[a-zA-Z0-9_\-\.]+)\s*:\s*TTY" nodrop
| parse regex field=_raw "COMMAND=(?P<sudo_command>[^\n]+)" nodrop
| parse regex field=_raw "user=(?P<exec_user>[a-zA-Z0-9_\-\.]+)" nodrop
| parse regex field=_raw "hostname=(?P<src_host>[a-zA-Z0-9_\-\.]+)" nodrop
| eval detection_type = if(
    _raw matches /(?i).*path.*\/etc\/sudoers.*/
    AND _raw matches /(?i).*(write|open|truncate|creat).*/,
    "Sudoers_File_Auditd_Write",
  if(
    _raw matches /(?i).*(NOPASSWD|ALL=\(ALL|!authenticate|sudoedit).*/
    AND _raw matches /(?i).*(sudoers|visudo).*/,
    "Sudo_NOPASSWD_Config",
  if(
    _raw matches /(?i).*sudo.*COMMAND.*/
    AND _raw matches /(?i).*(bash|sh|python|python3|perl|ruby|\/bin\/).*/
    AND _raw matches /(?i).*user=root.*/,
    "Sudo_Shell_Escalation",
  if(
    _raw matches /(?i).*sudo.*(-n|--non-interactive|-S|--stdin).*/
    AND NOT (_raw matches /(?i).*(apt|yum|dnf|apt-get).*/),
    "Sudo_Cache_NonInteractive",
  if(
    _raw matches /(?i).*sudo.*authentication failure.*(-n|--non-interactive).*/,
    "Sudo_Failed_Cache_Check",
    null
  )))))
| where !isNull(detection_type)
| fields _messageTime, _sourceHost, sudo_user, exec_user, sudo_command, detection_type, _raw
| sort by _messageTime desc
high severity high confidence

Sumo Logic query detecting sudo and sudo caching abuse from Linux secure logs, syslog, and auditd sources. Uses regex-based parse and eval to classify events into five detection categories: auditd-captured sudoers file writes, NOPASSWD privilege configuration, shell escalation as root via sudo, non-interactive sudo invocations indicating cache abuse, and failed sudo authentication with non-interactive flags. Extracts sudo_user, exec_user, and command fields for context.

Data Sources

Linux /var/log/secure (auth)Linux /var/log/syslogLinux auditd via Sumo Installed CollectorSumo Logic CSE Normalized Events

Required Tables

_sourceCategory=linux/secure_sourceCategory=linux/syslog_sourceCategory=linux/auditd

False Positives & Tuning

  • Automated patching systems (unattended-upgrades, yum-cron) that write sudoers.d/ drop-in files as part of package installation and post-install scripts
  • Container orchestration tooling (Docker, Kubernetes node agents, containerd shims) that invoke sudo non-interactively for namespace manipulation and cgroup management
  • Legitimate developer workflows on shared build servers where developers commonly sudo to a build user account using cached credentials, generating root shell escalation events that match the detection pattern
Download portable Sigma rule (.yml)

Other platforms for T1548.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current Sudo Privileges for Current User

    Expected signal: Syslog/auditd: sudo -l command executed by current user. Auth log entry for sudo invocation.

  2. Test 2Add NOPASSWD Sudo Entry via sudoers.d

    Expected signal: Auditd: file write event on /etc/sudoers.d/df00tech-test. Auth log: sudo cp command. Process creation for cp with /etc/sudoers.d path.

  3. Test 3Exploit Sudo Timestamp Cache

    Expected signal: Syslog/auditd: sudo -n command with NOPASSWD check. Auth log entry. If successful: sudo COMMAND=whoami entry.

Last updated: 2026-04-21 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for T1548.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.001Setuid and SetgidT1548.004Elevated Execution with PromptT1222.002Linux and Mac File and Directory Permissions ModificationT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Privilege Escalation

Popular Detections