Linux Persistence via Sudoers.d File Manipulation
Attackers can achieve persistence and privilege escalation on Linux systems by creating or modifying files in the /etc/sudoers.d/ directory to grant unauthorized users or groups sudo privileges.
The sudoers.d directory on Linux systems is designed to allow administrators to manage sudo privileges by adding individual files rather than modifying the main /etc/sudoers file. An attacker who gains initial access to a system can exploit this by creating or modifying files within this directory to grant themselves or other malicious actors elevated privileges. This can be done to ensure persistent access, even if other initial access methods are detected and remediated. The modification of…
Detection coverage 3
Detect Sudoers.d File Creation
mediumDetects the creation of new files in the sudoers.d directory, which may indicate an attempt to establish unauthorized privilege escalation.
Detect Sudoers.d File Modification
mediumDetects modifications to existing files in the sudoers.d directory, which could indicate an attempt to modify sudo privileges.
Detect Dpkg Temporary Sudoers.d File
infoDetects the creation of temporary dpkg files in the sudoers.d directory.
Detection queries are kept inside the platform. Get full rules →