Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List User Account Added To Sudoers Group

Wayne Andes 3 min read

Description

This KQL query allows you to hunt for users that have been added to the sudo group. The current list does not contain all additions, but it covers most common additions. More can be added in the commandslist. Users that have been added to the sudoers group have root privileges.

Risk

An adversary adds itself to the sudoers group and can perform actions with root privileges.

Query

Microsoft Defender For Endpoint
Kusto
let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);
DeviceProcessEvents
| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)
| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)

Microsoft Sentinel
Kusto
let Commands = dynamic([@"usermod -aG sudo", @"usermod -a -G sudo"]);<br>DeviceProcessEvents<br>| extend RegexGroupAddition = extract("adduser(.*) sudo", 0, ProcessCommandLine)<br>| where ProcessCommandLine has_any (Commands) or isnotempty(RegexGroupAddition)

You May Also Like

List Microsoft Teams Sending Or Receiving More Than 50GB In The Last 10 Minutes As Detected By Zscaler

Wayne Andes

List New UserAgent Used Based On SigninLogs

Wayne Andes

List Unwanted Or Malicious Applications Detected By Fortinet

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *