Sudoers File Modificationedit

A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Rule queryedit

event.module:file_integrity and event.action:updated and
file.path:/etc/sudoers

Threat mappingedit

Framework: MITRE ATT&CKTM