PUA - Wsudo Suspicious Execution
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
Sigma rule (View on GitHub)
1title: PUA - Wsudo Suspicious Execution
2id: bdeeabc9-ff2a-4a51-be59-bb253aac7891
3status: test
4description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
5references:
6 - https://github.com/M2Team/Privexec/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/12/02
9modified: 2023/02/14
10tags:
11 - attack.execution
12 - attack.privilege_escalation
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_metadata:
19 - Image|endswith: '\wsudo.exe'
20 - OriginalFileName: 'wsudo.exe'
21 - Description: 'Windows sudo utility'
22 - ParentImage|endswith: '\wsudo-bridge.exe'
23 selection_cli:
24 CommandLine|contains:
25 - '-u System'
26 - '-uSystem'
27 - '-u TrustedInstaller'
28 - '-uTrustedInstaller'
29 - ' --ti '
30 condition: 1 of selection_*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Elevated System Shell Spawned From Uncommon Parent Location
- HackTool - Sliver C2 Implant Activity Pattern
- PSEXEC Remote Execution File Artefact
- PUA - AdvancedRun Execution
- Potential Dosfuscation Activity