PUA - NSudo Execution

Detects the use of NSudo tool for command execution

Sigma rule (View on GitHub)

 1title: PUA - NSudo Execution
 2id: 771d1eb5-9587-4568-95fb-9ec44153a012
 3status: test
 4description: Detects the use of NSudo tool for command execution
 5references:
 6    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
 7    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 9date: 2022-01-24
10modified: 2023-02-13
11tags:
12    - attack.execution
13    - attack.t1569.002
14    - attack.s0029
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith:
21              - '\NSudo.exe'
22              - '\NSudoLC.exe'
23              - '\NSudoLG.exe'
24        - OriginalFileName:
25              - 'NSudo.exe'
26              - 'NSudoLC.exe'
27              - 'NSudoLG.exe'
28    selection_cli:
29        CommandLine|contains:
30            # Covers Single/Double dash "-"/"--" + ":"
31            - '-U:S ' # System
32            - '-U:T ' # Trusted Installer
33            - '-U:E ' # Elevated
34            - '-P:E ' # Enable All Privileges
35            - '-M:S ' # System Integrity
36            - '-M:H ' # High Integrity
37            # Covers Single/Double dash "-"/"--" + "="
38            - '-U=S '
39            - '-U=T '
40            - '-U=E '
41            - '-P=E '
42            - '-M=S '
43            - '-M=H '
44            - '-ShowWindowMode:Hide'
45    condition: all of selection_*
46falsepositives:
47    - Legitimate use by administrators
48level: high

References

Related rules

to-top