AN0142: Analytic 0142
Correlate command executions involving 'sudo' with elevated effective user ID (euid=0), especially when tty_tickets is disabled or timestamp_timeout is actively abused.
Analyst context for executives and security teams
This analytic matters because it focuses on Linux privilege elevation through sudo activity that results in an effective user ID of 0. For executives and security leaders, the decision value is whether the organization can prove who elevated privileges, when, from which session, and under what sudo policy conditions. Weak sudo session controls such as disabled tty_tickets or overly permissive timestamp behavior can reduce accountability and make incident scoping harder.
Executive priority
Prioritize this where Linux systems support critical business services, administrative operations, regulated workloads, or incident response dependencies. Leadership should ask whether sudo policy is governed, logged, and reviewable; whether privileged activity can be tied back to a user and terminal/session; and whether audit evidence is sufficient to support investigations and compliance reviews. This is primarily an identity, endpoint logging, and operational resilience control-validation issue for Linux environments.
Technical view
SOC and detection teams should validate correlation between command execution events involving sudo and evidence that the resulting effective user ID is 0. Because the analytic specifically calls out tty_tickets being disabled or timestamp_timeout being abused, defenders should also review sudoers configuration and sudo session timestamp behavior as context for alert severity and triage. In the absence of supplied ATT&CK tactic or relationship context, treat this as a Linux privilege-monitoring analytic rather than a complete intrusion detection on its own.
Likely telemetry
- Linux process execution telemetry showing sudo command invocation
- User, session, terminal, or TTY context associated with sudo activity
- Effective user ID or privilege context showing euid=0
- sudo logs or authentication logs recording command, user, and session details
- sudoers configuration evidence, including tty_tickets and timestamp_timeout settings
Detection direction
- Confirm that Linux telemetry captures both the sudo execution and the resulting elevated effective user ID, not just the command string.
- Tune correlation to distinguish expected administrative sudo usage from unusual use based on user, host role, session context, command, and timing.
- Review environments where tty_tickets is disabled, because session separation may be weaker and attribution may require stronger supporting telemetry.
- Review timestamp_timeout values and sudo timestamp behavior, because cached authentication can create gaps between user authentication and later privileged command execution.
- Document expected administrator and automation patterns to reduce false positives while preserving visibility into unexpected euid=0 transitions.
Mitigation priorities
- Standardize and review sudoers policy for Linux systems, especially tty_tickets and timestamp_timeout settings.
- Ensure privileged command execution is logged with user, host, session, terminal, command, and effective user context.
- Limit sudo access to authorized users and roles, and periodically review privileged access assignments.
- Use configuration management or compliance checks to identify sudo policy drift across Linux hosts.
- Preserve sudo and process execution logs in a central location so incident responders can reconstruct privilege elevation activity.
Analyst notes and limits
The supplied object is a detection analytic for Linux only. It provides a concise analytic idea but no official detection logic, tactics, relationships, mitigations, or procedure examples. The strongest use of this object is as a validation checklist for Linux sudo visibility and sudo policy governance.
This take is limited to the official STIX fields and the single MITRE external reference supplied. No active exploitation, actor attribution, business impact event, or guaranteed detection coverage is implied. Local sudo configuration, logging depth, endpoint telemetry, and administrative baselines are required to determine practical coverage and alert quality.
Analytic 0142
Correlate command executions involving 'sudo' with elevated effective user ID (euid=0), especially when tty_tickets is disabled or timestamp_timeout is actively abused.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 76d29c8b9804… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.