Sudo Last Run
Overview
Section titled “Overview”Evidence: Sudo Last Run
Description: Collect Sudo Last Run
Category: System
Platform: macos
Short Name: slr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The sudo timestamp files track when users last successfully authenticated with sudo, allowing password-less sudo execution within a timeout period. These timestamps reveal privilege escalation activities and administrative command execution. Understanding sudo usage is essential for detecting unauthorized privilege escalation, lateral movement, and administrative access abuse.
Data Collected
Section titled “Data Collected”This collector gathers structured data about sudo last run.
Sudo Last Run Data
Section titled “Sudo Last Run Data”| Field | Description | Example |
|---|---|---|
UID | UID | 123 |
User | User | Example value |
Source | Source | Example value |
SudoRunTimestamp | Sudo Run Timestamp | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector parses binary timestamp files from /private/var/db/sudo/ts/, extracting user IDs and last sudo execution timestamps for each user who has used sudo on the system.
Forensic Value
Section titled “Forensic Value”Sudo timestamp data reveals when users gained elevated privileges, indicating administrative activities, privilege escalation attempts, or unauthorized access. Unexpected sudo usage may indicate compromised credentials, privilege escalation attacks, or malicious administrative actions. This evidence helps establish timelines for privileged activities and identify unauthorized elevated access.