Failed Sudo
Overview
Section titled “Overview”Evidence: Failed Sudo
Description: Filter failed sudo events
Category: System
Platform: macos
Short Name: fsu
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Failed sudo attempts occur when users provide incorrect passwords while trying to execute commands with elevated privileges. macOS logs these failures after multiple incorrect attempts, which can indicate brute force attacks, privilege escalation attempts, or unauthorized access efforts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about failed sudo.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract sudo events with 3 consecutive failed password attempts over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Failed Sudo’.
Forensic Value
Section titled “Forensic Value”Failed sudo events are critical indicators of privilege escalation attempts, brute force attacks against user credentials, insider threat activities, and unauthorized administrative access attempts. They help identify compromised accounts, policy violations, and potential security breaches before they succeed.