KQL Search

Query Details

HomeAI ToolsDevice Query

Sudoersd File Creation

Query

# Rule: Detection of Unauthorized Creation of Files in /etc/sudoers.d/

## Description
This detection rule identifies attempts to create files in the `/etc/sudoers.d/` directory on Linux systems. The `/etc/sudoers.d/` directory is used to include additional sudoers configuration files. Unauthorized creation of files in this directory could indicate an attempt to escalate privileges or gain unauthorized access by adding malicious sudoers configurations.

This rule monitors for file creation events in the `/etc/sudoers.d/` directory. Such activity is not typically seen during standard operations and may indicate malicious intent to modify sudo privileges.

- [Sigma Rule: Persistence via Sudoers File](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml)

## Detection Logic
- Monitors `DeviceFileEvents` for events where:
  - The `ActionType` is "FileCreated", and
  - The `FolderPath` contains `/etc/sudoers.d/`.

## Tags
- File Events
- Privilege Escalation
- sudoers
- Linux Security
- Suspicious Activity

## Search Query
```kql
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "/etc/sudoers.d/"

Explanation

Summary of the Query

This query is designed to detect unauthorized creation of files in the /etc/sudoers.d/ directory on Linux systems. This directory is used for additional sudoers configuration files, and unauthorized file creation here could indicate an attempt to escalate privileges or gain unauthorized access.

Key Points

  • Purpose: To identify potential privilege escalation or unauthorized access attempts by monitoring file creation in a sensitive directory.
  • Directory Monitored: /etc/sudoers.d/
  • Event Type: File creation events (ActionType is "FileCreated")
  • Relevance: Such file creation is unusual during normal operations and may signal malicious activity.

Detection Logic

The query looks for file creation events in the /etc/sudoers.d/ directory by filtering DeviceFileEvents where:

  • The action type is "FileCreated".
  • The folder path contains /etc/sudoers.d/.

Tags

  • File Events: The query focuses on file creation events.
  • Privilege Escalation: Indicates potential attempts to gain higher privileges.
  • sudoers: Related to sudoers configuration files.
  • Linux Security: Pertains to security on Linux systems.
  • Suspicious Activity: Highlights potentially malicious actions.

Search Query in KQL

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "/etc/sudoers.d/"

This query helps in identifying suspicious activities that could compromise system security by monitoring critical file creation events in a sensitive directory.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsPrivilegeEscalationLinuxSecuritySuspiciousActivity

Operators

==contains|where

Actions