T1548.003 Sudo and Sudo Caching

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code>.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.

Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

In the wild, malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code>.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1548.003 Sudo and Sudo Caching
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.IR-01.06 Production environment segregation Mitigates T1548.003 Sudo and Sudo Caching
    Comments
    This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
    References
      PR.PS-01.01 Configuration baselines Mitigates T1548.003 Sudo and Sudo Caching
      Comments
      This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
      References
        PR.PS-01.02 Least functionality Mitigates T1548.003 Sudo and Sudo Caching
        Comments
        This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
        References
          PR.AA-05.02 Privileged system access Mitigates T1548.003 Sudo and Sudo Caching
          Comments
          This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management and the use of multi-factor authentication.
          References
            DE.CM-06.02 Third-party access monitoring Mitigates T1548.003 Sudo and Sudo Caching
            Comments
            This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
            References
              PR.PS-01.03 Configuration deviation Mitigates T1548.003 Sudo and Sudo Caching
              Comments
              This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Sudo and Sudo Caching through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuraiton of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
              References
                DE.CM-03.03 Privileged account monitoring Mitigates T1548.003 Sudo and Sudo Caching
                Comments
                This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
                References

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1548.003 Sudo and Sudo Caching
                  action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1548.003 Sudo and Sudo Caching
                  action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, AitB) related-to T1548.003 Sudo and Sudo Caching

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1548.003 Sudo and Sudo Caching
                  Comments
                  This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.
                  References

                  AWS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  amazon_inspector Amazon Inspector technique_scores T1548.003 Sudo and Sudo Caching
                  Comments
                  The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
                  References