Command Line Activity

Overview

Evidence: Command Line Activity Description: Filter command line activity run with elevated privileges Category: System Platform: macos Short Name: cla Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The sudo command allows authorized users to execute commands with elevated privileges. Unified logs capture sudo invocations including the user, target user, working directory, and command executed. This predicate filters for privilege escalation to root, excluding routine system operations.

Data Collected

This collector gathers structured data about command line activity.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract sudo process events where users elevate to root privileges over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Command Line Activity'.

Forensic Value

Sudo logs are critical for investigating privilege escalation, unauthorized administrative actions, malicious command execution, and insider threats. They reveal what commands were run with elevated privileges, by whom, and when, helping identify suspicious administrative activities and policy violations.