Rule : Sudoers File Access Detection
Sudoers File Enumeration
Query
DeviceProcessEvents
| where FileName in ('cat', 'grep', 'head', 'tail', 'more')
| where ProcessCommandLine contains "sudoers"About this query
Rule : Sudoers File Access Detection
Description
Detects attempts to read the sudoers file using common text viewing and searching commands. The sudoers file controls user privileges and its unauthorized access may indicate attempts to gain elevated privileges or gather sensitive information about system configurations.
Detection Logic
- Monitors process events where the executed file name is one of the following text viewing and searching commands:
cat,grep,head,tail,more. - Filters for instances where the process command line contains the term
sudoers, indicating an attempt to access the sudoers file.
Tags
- Sudoers File Access
- Privilege Escalation
- Process Events
- Linux
Search Query
Explanation
This query is designed to detect attempts to read the sudoers file on a Linux system. The sudoers file is important because it controls user privileges, and unauthorized access to it could indicate an attempt to gain elevated privileges or gather sensitive system information.
Here's a simple breakdown of what the query does:
- Monitors Process Events: It looks at events related to processes being executed on the system.
- Filters by Specific Commands: It specifically checks for processes where the executed file name is one of the following text viewing and searching commands:
cat,grep,head,tail, ormore. - Checks for
sudoersAccess: It further filters these processes to see if the command line used to execute them contains the termsudoers.
In summary, this query helps identify if someone is trying to read the sudoers file using common text commands, which could be a sign of an attempt to gain unauthorized access or information.
Details

Ali Hussein
Released: July 9, 2024
Tables
Keywords
Operators