|T1548.001||Setuid and Setgid|
|T1548.002||Bypass User Account Control|
|T1548.003||Sudo and Sudo Caching|
|T1548.004||Elevated Execution with Prompt|
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can
perform these commands on the system. The
sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to
run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." Since sudo was made for the system administrator, it has some useful configuration features such as a
timestamp_timeout, which is the
amount of time in minutes between instances of
sudo before it will re-prompt for a password. This is because
sudo has the ability to cache credentials
for a period of time. Sudo creates (or touches) a file at
/var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a
tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty
(you will have to type the password again).
The sudoers file,
/etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users
or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or
permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like
ALL=(ALL) NOPASSWD: ALL.
Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example,
can be monitored to see if it falls within the
timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's
password. Additional, if
tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled
tty_tickets to potentially make scripting easier by issuing
echo \'Defaults !tty_tickets\' >>
/etc/sudoers. In order for
this change to be reflected, the malware also issued
killall Terminal. As of macOS Sierra, the sudoers file has
tty_tickets enabled by default.
Cobalt Strike can use
Proton modifies the tty_tickets line in the sudoers file.
|M1028||Operating System Configuration||
Ensuring that the
|M1026||Privileged Account Management||
By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the
|M1022||Restrict File and Directory Permissions||
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may perform sudo caching and/or use the suoders file to elevate privileges, such as the
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in
macOS and Linux systems, but sudo has the ability to log all input and output based on the
Monitor newly executed processes that may perform sudo caching and/or use the suoders file to elevate privileges.
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the suoders file to elevate privileges.