Query Details

Rule : Sudoers File Access Detection

Sudoers File Enumeration

Query

DeviceProcessEvents
| where FileName in ('cat', 'grep', 'head', 'tail', 'more')
| where ProcessCommandLine contains "sudoers"

About this query

Rule : Sudoers File Access Detection

Description

Detects attempts to read the sudoers file using common text viewing and searching commands. The sudoers file controls user privileges and its unauthorized access may indicate attempts to gain elevated privileges or gather sensitive information about system configurations.

Detection Logic

  • Monitors process events where the executed file name is one of the following text viewing and searching commands: cat, grep, head, tail, more.
  • Filters for instances where the process command line contains the term sudoers, indicating an attempt to access the sudoers file.

Tags

  • Sudoers File Access
  • Privilege Escalation
  • Process Events
  • Linux

Search Query

Explanation

This query is designed to detect attempts to read the sudoers file on a Linux system. The sudoers file is important because it controls user privileges, and unauthorized access to it could indicate an attempt to gain elevated privileges or gather sensitive system information.

Here's a simple breakdown of what the query does:

  1. Monitors Process Events: It looks at events related to processes being executed on the system.
  2. Filters by Specific Commands: It specifically checks for processes where the executed file name is one of the following text viewing and searching commands: cat, grep, head, tail, or more.
  3. Checks for sudoers Access: It further filters these processes to see if the command line used to execute them contains the term sudoers.

In summary, this query helps identify if someone is trying to read the sudoers file using common text commands, which could be a sign of an attempt to gain unauthorized access or information.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinuxPrivilegeEscalation

Operators

incontains

Actions

GitHub