Hunt for users that have been added to the sudoers group
Linux Users Added To Sudoers Group
Query
let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);
DeviceProcessEvents
| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)
| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)About this query
Hunt for users that have been added to the sudoers group
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | https://attack.mitre.org/techniques/T1548/003 |
Description
This query allows you to hunt for users that have been added to the sudo group. The current list doest not contain all additions, but it covers most common additions. More can be added in the commandslist. Users that have been added to the sudoers group have root privilges.
Risk
A advasary adds itself to the sudoers group and can perform actions with root privileges.
Defender XDR
Sentinel
let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);
DeviceProcessEvents
| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)
| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)
Explanation
This query is designed to identify users who have been added to the "sudoers" group on a system. Being part of this group grants users root privileges, which means they can perform actions with the highest level of access on the system. This is significant because if an unauthorized user (an adversary) adds themselves to this group, they can potentially execute harmful actions with elevated permissions.
The query works by looking for specific command patterns in the system's process logs that indicate a user has been added to the sudoers group. It checks for commands like usermod -aG sudo and usermod -a -G sudo, which are commonly used to add users to the sudoers group. Additionally, it uses a regular expression to capture any variations of the adduser command that might also be used for this purpose.
In summary, this query helps security analysts detect potentially unauthorized changes to user privileges, which could be a sign of malicious activity.
