TIARAS - T1169: Sudo

MITRE ATT&CK Technique

Privilege Escalation T1169

Description

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware). Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file though.

Supported Platforms

Linux macOS

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-12-14T16:46:06.044Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'The sudoers file, <code>/etc/sudoers</code>, describes which '
                'users can run which commands and from which terminals. This '
                'also describes which commands users can run as other users or '
                'groups. This provides the idea of least privilege such that '
                'users are running in their lowest possible permissions for '
                'most of the time and only elevate to other users or '
                'permissions as needed, typically by prompting for a password. '
                'However, the sudoers file can also specify when to not prompt '
                'users for passwords with a line like <code>user1 ALL=(ALL) '
                'NOPASSWD: ALL</code> (Citation: OSX.Dok Malware). \n'
                '\n'
                'Adversaries can take advantage of these configurations to '
                'execute commands as other users or spawn processes with '
                'higher privileges. You must have elevated privileges to edit '
                'this file though.',
 'external_references': [{'external_id': 'T1169',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1169'},
                         {'description': 'Thomas Reed. (2017, July 7). New '
                                         'OSX.Dok malware intercepts web '
                                         'traffic. Retrieved July 10, 2017.',
                          'source_name': 'OSX.Dok Malware',
                          'url': 'https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/'}],
 'id': 'attack-pattern--9e80ddfb-ce32-4961-a778-ca6a10cfae72',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:49:09.488Z',
 'name': 'Sudo',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About