T1548.003: Sudo and Sudo Caching
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.[2] Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.[3] In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.
Analyst context for executives and security teams
Sudo and sudo caching matters because it turns normal Linux and macOS administration features into a privilege-escalation decision point. If sudo policy, cached authentication, or sudoers permissions are weak, an intruder who already has user-level access may be able to run higher-privilege commands without a fresh password prompt. For leaders, this is less about the sudo command itself and more about whether privileged activity on Unix-like endpoints is controlled, logged, and reviewable.
Executive priority
Prioritize this where Linux or macOS systems support production operations, developer workstations, administration jump boxes, or CI/CD-adjacent activity. The business question is whether privileged elevation is limited to approved users and commands, and whether the organization can prove that through configuration evidence and audit logs. This technique also supports control discussions around least privilege, privileged account management, endpoint hardening, and incident response readiness.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Linux and macOS privilege-escalation activity involving sudo, sudoers policy, and sudo credential caching. ATT&CK provides no official detection text for this object, but the relationship to DET0052 indicates behavioral detection is appropriate. Defenders should review changes to /etc/sudoers, sudo timeout and tty-related configuration, NOPASSWD-style policy exceptions, access to /var/db/sudo timestamp artifacts where applicable, and sudo command execution patterns that do not match normal administration. Treat findings in context: legitimate administrators use sudo frequently, so value comes from baselining expected users, hosts, commands, and maintenance windows.
Likely telemetry
- sudo command execution logs and audit trail entries, including user, target user, command, terminal/session, and timestamp where available
- file integrity or configuration monitoring for /etc/sudoers and related sudo configuration content
- filesystem metadata or monitoring related to sudo timestamp/cache locations such as /var/db/sudo where applicable
- process creation telemetry for elevated commands spawned via sudo on Linux and macOS
- authentication and authorization logs showing sudo prompts, failures, successes, and passwordless execution behavior
Detection direction
- Validate whether DET0052-style behavioral logic is implemented for abnormal sudo use rather than relying only on generic process logging.
- Tune detections around unauthorized or unusual modification of sudoers policy, especially broad privilege grants, passwordless execution, or changes that weaken terminal isolation behavior.
- Baseline legitimate administrative sudo patterns by host role and user group to reduce false positives from normal operations.
- Correlate sudo activity with recent user compromise indicators, unusual login sessions, new persistence, or unexpected process ancestry before escalating severity.
- Confirm macOS and Linux coverage separately; sudo paths, logging defaults, and endpoint telemetry availability may differ by platform and version.
Mitigation priorities
- Start with least privilege: restrict which users and groups can use sudo and limit allowed commands to operational need.
- Protect sudo configuration files with restrictive file and directory permissions, aligning with M1022.
- Use privileged account management practices from M1026: accountable admin identities, role-based access, monitoring of privileged use, and regular review of privileged entitlements.
- Harden operating system configuration per M1028, including review of sudo timeout behavior and terminal/session isolation settings where applicable.
- Review and justify any passwordless sudo exceptions; remove broad exceptions that are not required for business operations.
Analyst notes and limits
This is a sub-technique of T1548 Abuse Elevation Control Mechanism and applies to Linux and macOS. ATT&CK relationships show use by several software entries, including Cobalt Strike, Proton, Dok, and Shai-Hulud, which supports defensive prioritization but should not be interpreted as proof of current activity in any specific environment. The revoked-by relationships from older Sudo and Sudo Caching entries indicate consolidation into this current sub-technique.
The supplied ATT&CK object does not include official detection guidance, so detection recommendations are derived from the official description, platforms, tactic, and mitigation/detection-strategy relationships. Local sudo configuration, logging, endpoint tooling, and administrative workflows are required to determine actual exposure and detection quality.
Sudo and Sudo Caching
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.[2] Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.[3] In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1169 | Sudo | Sudo revoked by this object. |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | This object subtechnique of Abuse Elevation Control Mechanism. |
| Enterprise | T1206 | Sudo Caching | Sudo Caching revoked by this object. |
Groups, software, and campaigns
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
S0279: Proton
S0281: Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | b8e1f187d8b8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
sudo man page 2018
Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.
Open source URL -
[2]
OSX.Dok Malware
Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.
Open source URL -
[3]
cybereason osx proton
Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.
Open source URL -
[4]
mitre-attack T1548.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.