title: Sudo and Sudo Caching (T1548.003)
id: df00tech-t1548-003
status: experimental
description: "Adversaries abuse sudo and sudo caching on Linux and macOS to execute commands with elevated privileges. Techniques include: modifying /etc/sudoers to grant NOPASSWD access, exploiting the sudo timestamp cache (default 15-minute window) to run commands without re-authentication, using 'sudo -n' to check if cached credentials exist, and exploiting sudoedit or sudo bypass vulnerabilities (CVE-2021-3156 Baron Samedit). ProtonB malware and various Linux post-exploitation frameworks abuse sudo for privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1548/003/
  - https://df00tech.com/detections/T1548.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1548.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators legitimately editing sudoers to grant specific users limited sudo access
  - "Package managers (apt, yum) using sudo -n or similar patterns during automated updates"
  - "Ansible, Chef, Puppet automation using sudo for system configuration management"
  - CI/CD pipelines that use sudo for build/deployment tasks with documented NOPASSWD grants
level: high