PUA - NSudo Execution
Detects the use of NSudo tool for command execution
Sigma rule (View on GitHub)
1title: PUA - NSudo Execution
2id: 771d1eb5-9587-4568-95fb-9ec44153a012
3status: test
4description: Detects the use of NSudo tool for command execution
5references:
6 - https://nsudo.m2team.org/en-us/
7 - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
9date: 2022/01/24
10modified: 2023/02/13
11tags:
12 - attack.execution
13 - attack.t1569.002
14 - attack.s0029
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith:
21 - '\NSudo.exe'
22 - '\NSudoLC.exe'
23 - '\NSudoLG.exe'
24 - OriginalFileName:
25 - 'NSudo.exe'
26 - 'NSudoLC.exe'
27 - 'NSudoLG.exe'
28 selection_cli:
29 CommandLine|contains:
30 # Covers Single/Double dash "-"/"--" + ":"
31 - '-U:S ' # System
32 - '-U:T ' # Trusted Installer
33 - '-U:E ' # Elevated
34 - '-P:E ' # Enable All Privileges
35 - '-M:S ' # System Integrity
36 - '-M:H ' # High Integrity
37 # Covers Single/Double dash "-"/"--" + "="
38 - '-U=S '
39 - '-U=T '
40 - '-U=E '
41 - '-P=E '
42 - '-M=S '
43 - '-M=H '
44 - '-ShowWindowMode:Hide'
45 condition: all of selection_*
46falsepositives:
47 - Legitimate use by administrators
48level: high
References
-
Many Windows system files, registry keys, and services are owned by the (a.k.a LocalSystem) account, which has a high privilege level. If you need to modify a registry key owned by the account…
Read More
Related rules
- PUA - NirCmd Execution
- PsExec Tool Execution From Suspicious Locations - PipeName
- RemCom Service File Creation
- PsExec Service Installation
- CSExec Service File Creation