Skip to content

DET0052 Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching

Item Value
ID DET0052
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1548.003 (Sudo and Sudo Caching)

Analytics

Linux

AN0142

Correlate command executions involving ‘sudo’ with elevated effective user ID (euid=0), especially when tty_tickets is disabled or timestamp_timeout is actively abused.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) auditd:SYSCALL execve call for sudo where euid != uid
File Modification (DC0061) auditd:SYSCALL execve call for modification of /etc/sudoers or writing to /var/db/sudo
Mutable Elements
Field Description
timestamp_timeout_threshold Tune the valid sudo session duration to reduce false positives
command_allowlist Filter benign sudo usage (e.g., approved admin scripts)

macOS

AN0143

Detect sudo activity with NOPASSWD in /etc/sudoers or disabling tty_tickets, followed by immediate privileged commands (e.g., echo ‘Defaults !tty_tickets’ >> /etc/sudoers).

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog exec or sudo usage with NOPASSWD context or echo modifying sudoers
Process Termination (DC0033) macos:unifiedlog Terminal process killed (killall Terminal) immediately after sudoers modification
Mutable Elements
Field Description
admin_user_context Define allowed users who may modify sudoers without investigation
terminal_restart_window Time window after sudoers file change to monitor for Terminal restarts