← Back to Explore
sigmahighHunting
PUA - NSudo Execution
Detects the use of NSudo tool for command execution
Detection Query
selection_img:
- Image|endswith:
- \NSudo.exe
- \NSudoLC.exe
- \NSudoLG.exe
- OriginalFileName:
- NSudo.exe
- NSudoLC.exe
- NSudoLG.exe
selection_cli:
CommandLine|contains:
- "-U:S "
- "-U:T "
- "-U:E "
- "-P:E "
- "-M:S "
- "-M:H "
- "-U=S "
- "-U=T "
- "-U=E "
- "-P=E "
- "-M=S "
- "-M=H "
- -ShowWindowMode:Hide
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali
Created
2022-01-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1569.002attack.s0029
Raw Content
title: PUA - NSudo Execution
id: 771d1eb5-9587-4568-95fb-9ec44153a012
status: test
description: Detects the use of NSudo tool for command execution
references:
- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-01-24
modified: 2023-02-13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\NSudo.exe'
- '\NSudoLC.exe'
- '\NSudoLG.exe'
- OriginalFileName:
- 'NSudo.exe'
- 'NSudoLC.exe'
- 'NSudoLG.exe'
selection_cli:
CommandLine|contains:
# Covers Single/Double dash "-"/"--" + ":"
- '-U:S ' # System
- '-U:T ' # Trusted Installer
- '-U:E ' # Elevated
- '-P:E ' # Enable All Privileges
- '-M:S ' # System Integrity
- '-M:H ' # High Integrity
# Covers Single/Double dash "-"/"--" + "="
- '-U=S '
- '-U=T '
- '-U=E '
- '-P=E '
- '-M=S '
- '-M=H '
- '-ShowWindowMode:Hide'
condition: all of selection_*
falsepositives:
- Legitimate use by administrators
level: high