This note documents detection patterns related to Sudo Abuse on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
`/var/log/auth.log` / `/var/log/secure`	`sudo:`	Privileged command execution initiated	Critical	Primary sudo activity marker.
`/var/log/auth.log` / `/var/log/secure`	`COMMAND=`	Exact privileged command executed	Critical	Highest-value direct execution evidence.
`/var/log/auth.log` / `/var/log/secure`	`TTY=`	Interactive terminal context	High	Distinguishes interactive operator activity.
`/var/log/auth.log` / `/var/log/secure`	`PWD=`	Working directory of sudo execution	High	Useful for contextualizing attacker actions.
`/var/log/auth.log` / `/var/log/secure`	`USER=root`	Command executed as root	Critical	Immediate privilege elevation evidence.
`/var/log/auth.log` / `/var/log/secure`	`pam_unix(sudo:session)`	Sudo session opened	High	Session lifecycle around elevation.
`/var/log/auth.log` / `/var/log/secure`	`authentication failure`	Failed sudo password attempt	High	May indicate privilege probing.
`journalctl`	sudo command records	Journald sudo evidence	Critical	Required when flat logs absent.
Shell history	`sudo <command>`	Interactive privilege use	Critical	Strong operator evidence if preserved.
`auditd`	execve after sudo	Process lineage under elevation	Critical	Best attribution if enabled.
`/etc/sudoers`	NOPASSWD entries	Passwordless privilege path	Critical	Often abused or planted.
`/etc/sudoers.d/`	Custom privilege rule	Localized privilege grants	Critical	Often overlooked persistence vector.
`sudo -l` output (live triage)	Allowed commands	Privilege surface	Critical	Determines abuse opportunities.
EDR telemetry	elevated process lineage	Privilege chain visibility	High	Useful when host logs incomplete.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Successful SSH followed immediately by sudo	Foothold escalated rapidly	Critical	Common attacker progression.
Failed sudo attempts before success	Privilege probing	High	Suggests uncertainty or privilege hunting.
Rare privileged binaries executed	`tar`, `vim`, `find`, `less`, `awk`, `python`	Critical	GTFOBins-style abuse likely.
Sudo from unusual account	Service or low-value account elevates	Critical	Strong anomaly.
New account immediately using sudo	Persistence validated	Critical	Strong malicious sequence.
Sudo to edit persistence locations	`/etc/cron*`, systemd, ssh configs	Critical	Privilege used for stabilization.
Sudo to read sensitive files	`/etc/shadow`, SSH keys, configs	Critical	Credential access behavior.
Sudo in off-hours	Context anomaly	Medium	Strengthens suspicion.
Repeated sudo across many short commands	Manual operator behavior	High	Often hands-on intrusion.
Passwordless sudo on broad binaries	Hidden escalation path	Critical	Dangerous baseline weakness.

Common Tools

Tool	Usage
Native `sudo`	Standard privilege escalation path.
GTFOBins techniques	Abuse allowed binaries under sudo.
`sudoedit`	File modification under sudo context.
`sudo su`	Full root shell escalation.
`sudo bash` / `sudo sh`	Direct root shell spawn.
`sudo python`	Root shell via interpreter abuse.
`sudo find` / `tar` / `vim`	Classic allowed-binary escalation.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Sudo logs	`/var/log/auth.log`, `/var/log/secure`	Critical	Primary sudo source.
Journald sudo logs	`journalctl _COMM=sudo`	Critical	Strong source on systemd hosts.
Shell history	`.bash_history`, `.zsh_history`	Critical	Command context before/after sudo.
Sudoers config	`/etc/sudoers`	Critical	Baseline privilege truth.
Sudoers includes	`/etc/sudoers.d/`	Critical	Hidden delegated privilege.
Audit logs	`/var/log/audit/audit.log`	Critical	Process-level sudo attribution.
Sensitive file access timeline	`stat` on touched files	High	Privileged file modification timeline.
GTFOBins target files	configs, cron, service files	High	Abuse often pivots here.

MITRE ATT&CK References

T1548 Abuse Elevation Control Mechanism
T1548.003 Sudo and Sudo Caching
T1078 Valid Accounts
T1068 Exploitation for Privilege Escalation

Decision Tree

Is sudo activity present?
- Identify sudo: and COMMAND= lines.
Which user executed sudo?
- Determine expected privilege context.
Which command ran?
- Separate admin maintenance from suspicious binaries.
Did sudo follow external access?
- Correlate with SSH success or local session.
Was privilege used for persistence or credential access?
- Inspect touched files and immediate commands.
Pivot
- Command → affected files.
- User → shell history.
- Session window → outbound connections / persistence.
Confirm abuse
- Unexpected sudo + high-risk binary + persistence touch = likely malicious escalation.

Example Detection Templates

Grep

grep "sudo:" /var/log/auth.log /var/log/secure 2>/dev/null

grep "COMMAND=" /var/log/auth.log /var/log/secure 2>/dev/null

grep -E "sudo:|COMMAND=|pam_unix\(sudo:session" /var/log/auth.log /var/log/secure 2>/dev/null

grep -R "sudo " /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl _COMM=sudo

journalctl | grep "COMMAND="

Sudo Configuration

cat /etc/sudoers

ls -l /etc/sudoers.d/

grep -R "NOPASSWD" /etc/sudoers /etc/sudoers.d 2>/dev/null

Sigma

title: Linux Suspicious Sudo Activity
id: linux-suspicious-sudo-activity
status: experimental
description: Detects sudo usage and privileged command execution that may indicate privilege escalation
logsource:
  product: linux
  service: auth
detection:
  selection:
    message|contains:
      - 'sudo:'
      - 'COMMAND='
  condition: selection
fields:
  - message
  - hostname
  - user
falsepositives:
  - Legitimate administration
level: high
tags:
  - attack.privilege_escalation
  - attack.t1548.003

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Least privilege	Restrict sudo to minimal commands	Critical	Shrinks escalation surface.
NOPASSWD review	Remove unnecessary passwordless entries	Critical	Major abuse reduction.
Command allowlists	Avoid dangerous GTFOBins under sudo	Critical	Prevents binary abuse.
Logging	Preserve sudo command detail	High	Essential forensic truth.
Auditd	Monitor privileged execve	High	Best command attribution.
Change control	Track sudoers modifications	High	Detect hidden grants.
Session review	Alert on unusual sudo binaries	High	Excellent high-signal detection.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Which commands were run under sudo?	grep `COMMAND=`	Immediate privilege visibility.
Which user elevated?	grep sudo lines	Actor attribution.
Was root shell spawned?	search `sudo su`, `sudo bash`	High-risk escalation pattern.
Any passwordless sudo?	grep NOPASSWD	Hidden escalation path.
Did sudo touch persistence files?	inspect recent file changes	Stabilization clue.
Was sudo followed by outbound activity?	correlate network logs	Operator continuation.

High Value Grep Strings

Pattern	Why It Matters
`sudo:`	Primary privilege use marker.
`COMMAND=`	Exact elevated command.
`TTY=`	Interactive session clue.
`PWD=`	Working directory context.
`USER=root`	Root target confirmation.
`pam_unix(sudo:session)`	Session lifecycle evidence.
`NOPASSWD`	High-risk escalation surface.

Analyst Notes

Scenario	Interpretation
SSH success then sudo within minutes	Strong attacker escalation chain.
Sudo on GTFOBins binary	Likely privilege abuse, not routine admin.
Many small sudo commands	Manual operator behavior.
Service account using sudo	Highly suspicious unless explicitly designed.
NOPASSWD entry plus suspicious user	Hidden privilege persistence likely.
Sudo with no shell history	Cleanup, non-interactive execution, or history tampering possible.