Esc
There are no digital artifacts defined on this offensive technique (yet). Please consider contributing an addition to D3FEND.
Sudo Caching - T1206
(ATT&CK® Technique)
Definition
The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
D3FEND Inferred Relationships
There are no digital artifacts defined on this offensive technique (yet). Please consider contributing an addition to D3FEND.