PUA - Wsudo Suspicious Execution

Jan 1, 2024 · attack.execution attack.privilege_escalation attack.t1059 ·

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Sigma rule (View on GitHub)

 1title: PUA - Wsudo Suspicious Execution
 2id: bdeeabc9-ff2a-4a51-be59-bb253aac7891
 3status: test
 4description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
 5references:
 6    - https://github.com/M2Team/Privexec/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/12/02
 9modified: 2023/02/14
10tags:
11    - attack.execution
12    - attack.privilege_escalation
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_metadata:
19        - Image|endswith: '\wsudo.exe'
20        - OriginalFileName: 'wsudo.exe'
21        - Description: 'Windows sudo utility'
22        - ParentImage|endswith: '\wsudo-bridge.exe'
23    selection_cli:
24        CommandLine|contains:
25            - '-u System'
26            - '-uSystem'
27            - '-u TrustedInstaller'
28            - '-uTrustedInstaller'
29            - ' --ti '
30    condition: 1 of selection_*
31falsepositives:
32    - Unknown
33level: high

References

GitHub - M2Team/Privexec: Run the program with the specified permission level (C++20 required)

Run the program with the specified permission level (C++20 required) - M2Team/Privexec

Read More

PUA - Wsudo Suspicious Execution

Sigma rule (View on GitHub)

References

GitHub - M2Team/Privexec: Run the program with the specified permission level (C++20 required)

Related rules