Skip to content

Latest commit

 

History

History
57 lines (28 loc) · 2.94 KB

T1206.md

File metadata and controls

57 lines (28 loc) · 2.94 KB
Raw

T1206 - Sudo Caching

Description from ATT&CK

The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

Adversaries can abuse poor configurations of this to escalate privileges without needing the user's password. /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. When tty_tickets is disabled, adversaries can do this from any tty for that user.

The OSX Proton Malware has disabled tty_tickets to potentially make scripting easier by issuing echo 'Defaults !tty_tickets' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the Proton malware also must issue killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.

Atomic Tests


Atomic Test #1 - Unlimited sudo cache timeout

Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.

Supported Platforms: macOS, Linux

Attack Commands: Run with sh!

sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers


Atomic Test #2 - Disable tty_tickets for sudo caching

Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.

Supported Platforms: macOS, Linux

Attack Commands: Run with sh!

sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers