KQL Search

Query Details

HomeAI ToolsDevice Query

Sudoers File Enumeration

Query

# Rule : Sudoers File Access Detection

## Description
Detects attempts to read the `sudoers` file using common text viewing and searching commands. The `sudoers` file controls user privileges and its unauthorized access may indicate attempts to gain elevated privileges or gather sensitive information about system configurations.

- Source: [Sigma rule for detecting access to sudoers file](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml)

## Detection Logic
- Monitors process events where the executed file name is one of the following text viewing and searching commands: `cat`, `grep`, `head`, `tail`, `more`.
- Filters for instances where the process command line contains the term `sudoers`, indicating an attempt to access the sudoers file.

## Tags
- Sudoers File Access
- Privilege Escalation
- Process Events
- Linux

## Search Query
```kql
DeviceProcessEvents
| where FileName in ('cat', 'grep', 'head', 'tail', 'more')
| where ProcessCommandLine contains "sudoers"

Explanation

This query is designed to detect attempts to read the sudoers file on a Linux system. The sudoers file is important because it controls user privileges, and unauthorized access to it could indicate an attempt to gain elevated privileges or gather sensitive system information.

Here's a simple breakdown of what the query does:

  1. Monitors Process Events: It looks at events related to processes being executed on the system.
  2. Filters by Specific Commands: It specifically checks for processes where the executed file name is one of the following text viewing and searching commands: cat, grep, head, tail, or more.
  3. Checks for sudoers Access: It further filters these processes to see if the command line used to execute them contains the term sudoers.

In summary, this query helps identify if someone is trying to read the sudoers file using common text commands, which could be a sign of an attempt to gain unauthorized access or information.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinuxPrivilegeEscalation

Operators

incontains

Actions