Nterl0k T1134.001-3 Nsussudio (#2606)

* Update T1134.001.md

* Update T1134.001.yaml

* Update T1134.001.yaml

* Update T1134.001.md

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1134.001/T1134.001.md

@@ -97,7 +97,7 @@ NSudo download observed after maldoc execution. NSudo is a system management too
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| nsudo_path | Path to the NSudo bat file | path | PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe|
+| nsudo_path | Path to the NSudoLG.exe file | path | PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -113,7 +113,7 @@ Stop-Process -Name "cmd" -force -erroraction silentlycontinue
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: NSudo.bat must exist in the specified path #{nsudo_path}
+##### Description: NSudoLG.exe must exist in the specified path #{nsudo_path}
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
@@ -123,8 +123,9 @@ if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
 Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
-Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
+Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
 Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
+Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore
 ```
 
 

atomics/T1134.001/T1134.001.yaml

@@ -38,21 +38,22 @@ atomic_tests:
   - windows
   input_arguments:
     nsudo_path:
-      description: 'Path to the NSudo bat file'
+      description: 'Path to the NSudoLG.exe file'
       type: path
-      default: PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
+      default: PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      NSudo.bat must exist in the specified path #{nsudo_path}
+      NSudoLG.exe must exist in the specified path #{nsudo_path}
     prereq_command: |
       if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
       Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
-      Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
       Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
+      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore
   executor:
     command: |
       Start-Process "#{nsudo_path}" -Argument "-U:T -P:E cmd"