Query Details

Hunt for users that have been added to the sudoers group

Linux Users Added To Sudoers Group

Query

let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);
DeviceProcessEvents
| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)
| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)

About this query

Hunt for users that have been added to the sudoers group

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1548.003Abuse Elevation Control Mechanism: Sudo and Sudo Cachinghttps://attack.mitre.org/techniques/T1548/003

Description

This query allows you to hunt for users that have been added to the sudo group. The current list doest not contain all additions, but it covers most common additions. More can be added in the commandslist. Users that have been added to the sudoers group have root privilges.

Risk

A advasary adds itself to the sudoers group and can perform actions with root privileges.

Defender XDR

Sentinel

let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);
DeviceProcessEvents
| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)
| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)

Explanation

This query is designed to identify users who have been added to the "sudoers" group on a system. Being part of this group grants users root privileges, which means they can perform actions with the highest level of access on the system. This is significant because if an unauthorized user (an adversary) adds themselves to this group, they can potentially execute harmful actions with elevated permissions.

The query works by looking for specific command patterns in the system's process logs that indicate a user has been added to the sudoers group. It checks for commands like usermod -aG sudo and usermod -a -G sudo, which are commonly used to add users to the sudoers group. Additionally, it uses a regular expression to capture any variations of the adduser command that might also be used for this purpose.

In summary, this query helps security analysts detect potentially unauthorized changes to user privileges, which could be a sign of malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

UsersDevicesProcessCommandLine

Operators

letdynamicextendextractwherehas_anyisnotempty

MITRE Techniques

Actions

GitHub