uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.

t1548
ml
elastic

Techniques

T1548

Sample rules

Unusual Sudo Activity

source: elastic
technicques:
- T1548

Description

Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.

LoFP / uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.

Techniques

Sample rules

Unusual Sudo Activity

Description

Detection logic