T1548.003 Sudo
Required Tables
- shell_commands
Returned Fields
| Field | Description |
|---|---|
| shell_commands.* | all fields for shell commands where privilege escalation used sudo |
Query
SELECT *
FROM shell_commands
WHERE program_filename IN ('/usr/bin/sudo', '/bin/su')