Command Line Activity
Overview
Section titled “Overview”Evidence: Command Line Activity
Description: Filter command line activity run with elevated privileges
Category: System
Platform: macos
Short Name: cla
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The sudo command allows authorized users to execute commands with elevated privileges. Unified logs capture sudo invocations including the user, target user, working directory, and command executed. This predicate filters for privilege escalation to root, excluding routine system operations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about command line activity.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract sudo process events where users elevate to root privileges over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Command Line Activity’.
Forensic Value
Section titled “Forensic Value”Sudo logs are critical for investigating privilege escalation, unauthorized administrative actions, malicious command execution, and insider threats. They reveal what commands were run with elevated privileges, by whom, and when, helping identify suspicious administrative activities and policy violations.