Failed Sudo

Overview

Evidence: Failed Sudo Description: Filter failed sudo events Category: System Platform: macos Short Name: fsu Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Failed sudo attempts occur when users provide incorrect passwords while trying to execute commands with elevated privileges. macOS logs these failures after multiple incorrect attempts, which can indicate brute force attacks, privilege escalation attempts, or unauthorized access efforts.

Data Collected

This collector gathers structured data about failed sudo.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract sudo events with 3 consecutive failed password attempts over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Failed Sudo'.

Forensic Value

Failed sudo events are critical indicators of privilege escalation attempts, brute force attacks against user credentials, insider threat activities, and unauthorized administrative access attempts. They help identify compromised accounts, policy violations, and potential security breaches before they succeed.