Attackers may add configuration to /etc/sudoers.d/README as a persistence mechanism. The idea is that the file is supposed to be there, so it is unlikely to be scrutinized by a defender.
sudoers README file persistence
0001-01-01
Recent Posts
Defanging Linux LKM Rootkits With cleanup_module()
2025-04-04 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit
Linux Persistence: atd
2025-04-01 DFIR CTF linux persistence at atd
Linux Persistence: SSH
2025-03-29 DFIR CTF SSH hardening hunting persistence linux persistence hunting hardening SSH PAM