Techniques
Sample rules
Persistence Via Sudoers.d Files
- source: sigma
- technicques:
- t1548
- t1548.003
Description
Detects the creation or modification of files within the “sudoers.d” directory on Linux systems. Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_dpkg:
Image|endswith: /usr/bin/dpkg
TargetFilename: /etc/sudoers.d/README.dpkg-new
selection:
TargetFilename|startswith: /etc/sudoers.d/