Sudo and Sudo Caching

Information

• Name: Sudo and Sudo Caching

• ID: T1548.003

• Tactics: TA0004, TA0005

• Technique: T1548

Introduction

Sudo and Sudo Caching (MITRE ATT&CK sub-technique T1548.003) involves adversaries leveraging the Unix/Linux "sudo" command and its associated authentication caching mechanism to escalate privileges or maintain elevated access. Sudo is a common Linux/Unix utility allowing authorized users to execute commands as the root user or another privileged user. After successful authentication, sudo typically caches credentials for a short period, allowing subsequent commands to execute without requiring additional password prompts. Attackers exploit this caching behavior to run additional privileged commands without re-authentication, facilitating privilege escalation and lateral movement within compromised systems.

Deep Dive Into Technique

The "sudo" utility allows permitted users to execute commands as the root or another user, as defined in the /etc/sudoers configuration file. When a user successfully authenticates using sudo, the utility caches the user's authentication credentials (by default, typically for 5 minutes), allowing subsequent commands to execute without requiring the user to enter their password again.

Attackers exploit this caching mechanism and misconfigurations in sudo policies to:

• Execute commands as root without explicit password prompts.

• Maintain persistence by leveraging cached sudo credentials to repeatedly escalate privileges.

• Abuse overly permissive sudoers configurations (e.g., commands allowed without password prompts via NOPASSWD directive).

Technical mechanisms and methods include:

• Credential caching exploitation: Attackers wait until a legitimate user runs sudo, then quickly execute malicious commands during the cached credential timeframe.

• Misconfigured sudoers file abuse: Attackers exploit rules in /etc/sudoers that permit certain commands without passwords or overly broad command allowances.

• Sudo session hijacking: Adversaries may hijack existing sessions or manipulate environment variables (LD_PRELOAD, PATH) to execute malicious binaries or scripts with elevated privileges.

Real-world procedures attackers may utilize include:

• Monitoring user activity to detect when sudo credentials are cached.

• Timing attacks to execute commands immediately after legitimate sudo usage.

• Modifying or injecting malicious commands into scripts or binaries executed via sudo.

• Leveraging compromised user accounts with sudo privileges to escalate to root-level access.

When this Technique is Usually Used

Attackers commonly use this sub-technique during various stages of an attack lifecycle, including:

• Privilege Escalation: Attackers with limited user-level access exploit cached sudo credentials or misconfigurations to gain root-level privileges.

• Lateral Movement: Once attackers compromise user accounts with sudo privileges, they leverage cached credentials to move laterally across systems.

• Persistence: Attackers repeatedly exploit cached sudo credentials to re-establish elevated access after reboots or intermittent access.

• Defense Evasion: Adversaries utilize cached credentials to minimize suspicious password prompts, thereby reducing detection likelihood.

Typical scenarios include:

• Post-compromise scenarios where attackers initially gain low-level user access (e.g., via phishing, SSH brute force, or exploit) and subsequently escalate privileges via sudo.

• Insider threats exploiting overly permissive sudo configurations to perform unauthorized privileged actions discreetly.

• Attackers conducting reconnaissance to identify sudoers configurations that allow passwordless commands or extended credential cache durations.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

• Log Analysis and Auditing:

  • Monitoring /var/log/auth.log or /var/log/secure logs for unusual sudo command executions.

  • Reviewing audit logs (auditd) for unexpected or unauthorized sudo activity.

  • Identifying rapid sequences of sudo commands executed within short intervals, indicative of credential cache exploitation.

• Configuration Auditing:

  • Regularly inspecting /etc/sudoers and /etc/sudoers.d/* files for overly permissive rules (NOPASSWD, wildcard permissions).

  • Detecting unauthorized or suspicious modifications to sudoers configuration files.

• User Behavior Analytics (UBA):

  • Baseline normal user behavior for sudo usage and detect deviations or abnormal patterns.

  • Alerting on unusual users executing privileged commands or commands outside their typical role.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions that monitor command execution and privilege escalation attempts, alerting on abnormal sudo activity.

  • Real-time monitoring of environment variable manipulations (LD_PRELOAD, PATH) during sudo command execution.

Specific IoCs to monitor:

• Sudden increase in sudo usage frequency or commands executed by uncommon users.

• Execution of privileged commands shortly after legitimate sudo authentication events.

• Unauthorized modifications to sudoers files or additions of suspicious entries.

• Environment variable tampering during sudo execution.

Why it is Important to Detect This Technique

Early detection of Sudo and Sudo Caching exploitation is critical due to the significant impacts it can have on system security, integrity, and confidentiality:

• Privilege Escalation Risks: Attackers using this technique can escalate privileges from normal user accounts to root-level access, gaining complete control over affected systems.

• Persistence and Long-term Access: Exploiting sudo caching allows attackers to maintain persistent elevated access, facilitating long-term compromise and prolonged malicious activities.

• Data Exfiltration and Theft: Elevated privileges enable attackers to access sensitive data, credentials, and intellectual property, increasing the risk of data breaches.

• System Integrity Compromise: Attackers with root-level privileges can modify system configurations, install rootkits or backdoors, and undermine system integrity.

• Lateral Movement and Network-wide Impacts: Privilege escalation via sudo caching can facilitate lateral movement, enabling attackers to compromise additional systems and expand the scope of the attack.

• Compliance and Regulatory Risks: Undetected privilege escalation may result in regulatory non-compliance, potential legal consequences, and reputational damage.

Prompt detection and response limit attacker dwell time, minimize potential damage, and maintain overall security posture and compliance.

Examples

Real-world examples and scenarios involving exploitation of Sudo and Sudo Caching include:

• CVE-2019-14287 (Sudo Security Bypass):

  • Vulnerability allowing attackers to bypass sudo restrictions and execute commands as root using user ID -1 or 4294967295.

  • Attackers exploited this vulnerability to escalate privileges from restricted sudo users to full root access.

  • Impact included complete system compromise, unauthorized access to sensitive data, and potential lateral movement.

• Misconfigured Sudoers File Exploitation:

  • Attackers leveraging overly permissive NOPASSWD entries in /etc/sudoers to execute arbitrary commands without password prompts.

  • Real-world scenarios include insider threats and external attackers compromising user accounts and escalating privileges to root without detection.

  • Impacts ranged from unauthorized data access to persistent backdoor installation.

• APT Groups Leveraging Sudo Caching:

  • Advanced Persistent Threat (APT) groups observed timing their attacks to execute commands immediately after legitimate sudo authentication events.

  • Attackers maintained stealth by minimizing suspicious password prompts, thereby evading detection.

  • Resulted in prolonged network compromise, extensive data exfiltration, and lateral movement across multiple systems.

• Linux Malware Utilizing Sudo Exploitation:

  • Malware variants (e.g., HiddenWasp, Skidmap) observed exploiting sudo misconfigurations or cached credentials to escalate privileges and maintain persistence.

  • Attackers used elevated privileges to install rootkits, evade detection, and maintain long-term system compromise.

  • Impacts included data theft, cryptocurrency mining, and persistent unauthorized access.

These examples illustrate the real-world applicability, potential severity, and widespread use of Sudo and Sudo Caching exploitation by attackers, underscoring the importance of proactive detection and mitigation strategies.