EXPLORE

← Back to Explore

T1548.003

Sudo and Sudo Caching

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certa...

LinuxmacOS

49

Detections

2

Sources

0

Threat Actors

BY SOURCE

35splunk_escu14elastic

PROCEDURES (14)

General Monitoring19 detections

Auto-extracted: 19 detections for general monitoring

Persist7 detections

Auto-extracted: 7 detections for persist

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Persist3 detections

Auto-extracted: 3 detections for persist

Persist2 detections

Auto-extracted: 2 detections for persist

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Container2 detections

Auto-extracted: 2 detections for container

File Monitoring2 detections

Auto-extracted: 2 detections for file monitoring

Service1 detections

Auto-extracted: 1 detections for service

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (49)

Deprecated - Sudo Heap-Based Buffer Overflow Attempt

Linux APT Privilege Escalation

Linux Auditd Doas Conf File Creation

Linux Auditd Doas Tool Execution

Linux Auditd Nopasswd Entry In Sudoers File

Linux Auditd Possible Access To Sudoers File

Linux Auditd Sudo Or Su Execution

Linux AWK Privilege Escalation

Linux Busybox Privilege Escalation

Linux c89 Privilege Escalation

Linux c99 Privilege Escalation

Linux Composer Privilege Escalation

Linux Cpulimit Privilege Escalation

Linux Csvtool Privilege Escalation

Linux Doas Conf File Creation

Linux Doas Tool Execution

Linux Emacs Privilege Escalation

Linux Find Privilege Escalation

Linux GDB Privilege Escalation

Linux Gem Privilege Escalation

Linux GNU Awk Privilege Escalation

Linux Make Privilege Escalation

Linux MySQL Privilege Escalation

Linux Node Privilege Escalation

Linux NOPASSWD Entry In Sudoers File

Linux Octave Privilege Escalation

Linux OpenVPN Privilege Escalation

Linux PHP Privilege Escalation

Linux Possible Access To Sudoers File

Linux Puppet Privilege Escalation

Linux RPM Privilege Escalation

Linux Ruby Privilege Escalation

Linux Sqlite3 Privilege Escalation

Linux Sudo OR Su Execution

Linux Sudoers Tmp File Creation

Linux Visudo Utility Execution

Modification of Persistence Relevant Files Detected via Defend for Containers

Pod or Container Creation with Suspicious Command-Line

Potential CVE-2025-32463 Sudo Chroot Execution Attempt

Potential Defense Evasion via Doas

Potential Persistence via File Modification

Potential Privilege Escalation via Sudoers File Modification

Potential Sudo Hijacking

Potential Sudo Privilege Escalation via CVE-2019-14287

Potential Sudo Token Manipulation via Process Injection

Potential Suspicious File Edit

Sudo Command Enumeration Detected

Sudoers File Activity

Suspicious Echo or Printf Execution Detected via Defend for Containers