splApache-2.0from splunk/security_content
Linux Auditd Possible Access To Sudoers File
The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing on events of type PATH or CWD. This activity could be significant because the sudoers file controls user permissions for executing commands with elevated privileges. Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
`linux_auditd`
(type=PATH OR type=CWD)
| rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
| stats
values(type) as types
values(name) as names
values(nametype) as nametype
values(cwd) as cwd_list
values(_time) as event_times
by audit_id, host
| eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
| eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
| eval matched_paths = mvfilter(match(candidate_paths, "/etc/sudoers.*"))
| eval match_count = mvcount(matched_paths)
| eval reconstructed_path = mvindex(matched_paths, 0)
| eval e_time = mvindex(event_times, 0)
| where match_count > 0
| rename host as dest
| stats count min(e_time) as firstTime max(e_time) as lastTime
values(nametype) as nametype
by current_working_directory
reconstructed_path
match_count
dest
audit_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_possible_access_to_sudoers_file_filter`