Unusual Sudo Activity

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-09-03

About

Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Privilege Escalation

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

False Positive Examples

Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Sudo Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).