Sudo Last Run

Overview

Evidence: Sudo Last Run Description: Collect Sudo Last Run Category: System Platform: macos Short Name: slr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The sudo timestamp files track when users last successfully authenticated with sudo, allowing password-less sudo execution within a timeout period. These timestamps reveal privilege escalation activities and administrative command execution. Understanding sudo usage is essential for detecting unauthorized privilege escalation, lateral movement, and administrative access abuse.

Data Collected

This collector gathers structured data about sudo last run.

Sudo Last Run Data

Collection Method

This collector parses binary timestamp files from /private/var/db/sudo/ts/, extracting user IDs and last sudo execution timestamps for each user who has used sudo on the system.

Forensic Value

Sudo timestamp data reveals when users gained elevated privileges, indicating administrative activities, privilege escalation attempts, or unauthorized access. Unexpected sudo usage may indicate compromised credentials, privilege escalation attacks, or malicious administrative actions. This evidence helps establish timelines for privileged activities and identify unauthorized elevated access.