The sub-techniques beta is now live! Read the release blog post for more info.

Sudo Caching

The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." [1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

Adversaries can abuse poor configurations of this to escalate privileges without needing the user's password. /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. When tty_tickets is disabled, adversaries can do this from any tty for that user.

The OSX Proton Malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers [2]. In order for this change to be reflected, the Proton malware also must issue killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.

ID: T1206
Tactic: Privilege Escalation
Platform: Linux, macOS
Permissions Required: User
Effective Permissions: root
Data Sources: File monitoring, Process command-line parameters
Version: 1.0
Created: 18 April 2018
Last Modified: 24 June 2019

Procedure Examples

Name Description

Proton modifies the tty_tickets line in the sudoers file.[3]


Mitigation Description
Operating System Configuration

Similarly, ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.

Privileged Account Management

Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.


This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.