Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0143: Analytic 0143

Detect sudo activity with NOPASSWD in /etc/sudoers or disabling tty_tickets, followed by immediate privileged commands (e.g., echo 'Defaults !tty_tickets' >> /etc/sudoers).

EnterpriseAN0143AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because changes to macOS sudo policy can remove normal friction around privileged access. If NOPASSWD is added to sudoers or tty_tickets is disabled, a user or process may be able to run privileged commands more easily, reducing the value of interactive authentication controls and complicating incident containment. For leaders, the key question is whether the organization can prove that sudo policy changes and the privileged activity that follows are logged, reviewed, and investigated quickly.

Executive priority

Prioritize this as an identity and endpoint control-validation issue for macOS environments. It supports incident decision-making and audit evidence by showing whether privileged access policy changes are visible and whether SOC/IR teams can correlate those changes with immediate privileged command execution. The business risk is not the configuration file alone; it is the combination of weakened sudo requirements and rapid privileged activity that may affect system integrity and operational resilience.

Technical view

For macOS, validate monitoring around /etc/sudoers changes that introduce NOPASSWD behavior or disable tty_tickets, then correlate those events with near-term sudo or other privileged command execution. Because no ATT&CK detection logic is supplied, teams should define local correlation windows, expected administrative workflows, and exception handling. IR teams should treat a sudoers policy weakening followed by immediate privileged execution as a high-value triage pattern requiring review of the initiating user, parent process, change mechanism, and subsequent commands.

Likely telemetry

  • macOS file modification events for /etc/sudoers and related sudo configuration paths, where collected
  • Process execution telemetry showing sudo and privileged command activity
  • Command-line arguments or shell history where available and legally/operationally appropriate
  • Authentication and authorization logs related to sudo usage
  • Endpoint detection and response events linking user, process, parent process, and timestamp

Detection direction

  • Confirm telemetry can capture both the sudoers policy change and the privileged command activity that follows; either signal alone is weaker than the sequence.
  • Tune for modifications that add passwordless sudo behavior or disable tty_tickets, then correlate with immediate privileged execution by the same user, process lineage, host, or session.
  • Establish baselines for approved macOS administration, configuration management, and maintenance windows to reduce false positives.
  • Review blind spots where file integrity monitoring, endpoint process telemetry, or command-line capture is not enabled on macOS systems.
  • Because ATT&CK provides no official detection body for this analytic, document local logic, correlation timing, exclusions, and test evidence for SOC and compliance use.

Mitigation priorities

  • Restrict who can modify sudoers and require controlled administrative workflows for sudo policy changes.
  • Use change control and peer review for sudo configuration updates, especially any passwordless sudo or tty_tickets-related changes.
  • Harden endpoint logging so sudoers changes and privileged command execution are retained and available to responders.
  • Periodically audit macOS sudo configuration for risky or unauthorized entries.
  • Ensure incident response playbooks include containment and review steps for unauthorized privileged access policy changes.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify macOS as the supported platform and describe a behavioral sequence involving sudoers weakening followed by privileged command execution. No tactics, relationships, aliases, or official detection implementation were supplied, so the Glexia take focuses on control validation, telemetry readiness, and defensible SOC correlation rather than specific rule syntax.

No relationship context, tactic mapping, official detection logic, or related ATT&CK techniques were supplied. This take should not be read as evidence of active exploitation, attribution, impact, or existing customer exposure. Local macOS logging configuration, EDR coverage, administrative practices, and change-control evidence are required to determine actual detection coverage and risk.

Official MITRE ATT&CK definition

Analytic 0143

Detect sudo activity with NOPASSWD in /etc/sudoers or disabling tty_tickets, followed by immediate privileged commands (e.g., echo 'Defaults !tty_tickets' >> /etc/sudoers).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
677d4e96a95ca8fc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 677d4e96a95c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0143
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use