Esc
Sudo and Sudo Caching - T1548.003

(ATT&CK® Technique)
Definition

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1548003["Sudo and Sudo Caching"] --> |may-modify| EventLog["Event Log"]; class T1548003 OffensiveTechniqueNode;
        class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
        click T1548003 href "/offensive-technique/attack/T1548.003/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1548003["Sudo and Sudo Caching"] --> |modifies| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1548003 OffensiveTechniqueNode;
        class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
        click T1548003 href "/offensive-technique/attack/T1548.003/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";                          DecoyFile["Decoy File"] -->
          | spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1548003["Sudo and Sudo Caching"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1548003["Sudo and Sudo Caching"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           FileEncryption["File Encryption"] -->
          | encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1548003["Sudo and Sudo Caching"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1548003["Sudo and Sudo Caching"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           FileEviction["File Eviction"] -->
          | deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1548003["Sudo and Sudo Caching"] ;
          class FileEviction DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              FileAnalysis["File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1548003["Sudo and Sudo Caching"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          SystemFileAnalysis["System File Analysis"] -.->
            | may-detect | T1548003["Sudo and Sudo Caching"] ;
          class SystemFileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis";       RestoreFile["Restore File"] -->
          | restores | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1548003["Sudo and Sudo Caching"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1548003["Sudo and Sudo Caching"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json