Passwordless Sudo Probing Detected on Linux Systems

This detection rule identifies attempts to discover passwordless sudo configurations on Linux systems. Attackers often use passwordless sudo to execute commands with elevated privileges without needing a password. Probing for passwordless sudo can indicate reconnaissance activity preceding privilege escalation attempts. The rule is designed to detect processes named sudo using the -n or --non-interactive arguments along with the value “true”, which is indicative of testing for passwordless sudo access. The rule leverages multiple data sources including Elastic Endgame, Elastic Defend, Auditd Manager, Crowdstrike, and SentinelOne.

Attack Chain

1. An attacker gains initial access to a Linux system (e.g., via compromised credentials or exploiting a vulnerability).
2. The attacker begins reconnaissance to identify potential privilege escalation paths.
3. The attacker executes the sudo command with the -n or --non-interactive flag set to “true”. This command checks if the current user can execute commands with sudo privileges without being prompted for a password.
4. The system logs the execution of the sudo command with the specified arguments.
5. The detection rule identifies the sudo command execution based on process name and arguments.
6. The attacker analyzes the output of the sudo command to determine which commands can be executed without a password.
7. The attacker leverages the passwordless sudo configuration to execute privileged commands.
8. The attacker achieves privilege escalation and performs malicious actions, such as installing malware or accessing sensitive data.

Impact

A successful passwordless sudo probing activity can lead to privilege escalation, allowing attackers to perform administrative tasks, install malicious software, access sensitive data, or move laterally within the network. This rule helps identify early-stage reconnaissance, preventing attackers from fully exploiting passwordless sudo configurations.

Recommendation

• Deploy the Sigma rule “Passwordless Sudo Probing” to your SIEM and tune for your environment.
• Investigate any alerts generated by the “Passwordless Sudo Probing” rule to determine the context and intent of the activity.
• Review and harden sudo configurations to minimize the possibility of passwordless sudo access for unauthorized users and commands.
• Enable Elastic Defend integration with the “Complete EDR (Endpoint Detection and Response)” configuration to enhance endpoint visibility.
• Monitor the data sources mentioned in the rule (Elastic Endgame, Elastic Defend, Auditd Manager, Crowdstrike, and SentinelOne) for related suspicious activities.