From 12e54c4d08cd18889535ab166a89abb2146052ff Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Nov 2023 12:48:52 -0500 Subject: [PATCH] Nterl0k T1134.001-3 Nsussudio (#2606) * Update T1134.001.md * Update T1134.001.yaml * Update T1134.001.yaml * Update T1134.001.md --------- Co-authored-by: Carrie Roberts --- atomics/T1134.001/T1134.001.md | 7 ++++--- atomics/T1134.001/T1134.001.yaml | 9 +++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md index e008a429..4fbb30df 100644 --- a/atomics/T1134.001/T1134.001.md +++ b/atomics/T1134.001/T1134.001.md @@ -97,7 +97,7 @@ NSudo download observed after maldoc execution. NSudo is a system management too #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| nsudo_path | Path to the NSudo bat file | path | PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe| +| nsudo_path | Path to the NSudoLG.exe file | path | PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe| #### Attack Commands: Run with `powershell`! @@ -113,7 +113,7 @@ Stop-Process -Name "cmd" -force -erroraction silentlycontinue #### Dependencies: Run with `powershell`! -##### Description: NSudo.bat must exist in the specified path #{nsudo_path} +##### Description: NSudoLG.exe must exist in the specified path #{nsudo_path} ##### Check Prereq Commands: ```powershell if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1} @@ -123,8 +123,9 @@ if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1} New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip" Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force -Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}" +Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}" Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore +Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore ``` diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml index 5f95e522..be3722c0 100644 --- a/atomics/T1134.001/T1134.001.yaml +++ b/atomics/T1134.001/T1134.001.yaml @@ -38,21 +38,22 @@ atomic_tests: - windows input_arguments: nsudo_path: - description: 'Path to the NSudo bat file' + description: 'Path to the NSudoLG.exe file' type: path - default: PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe + default: PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe dependency_executor_name: powershell dependencies: - description: | - NSudo.bat must exist in the specified path #{nsudo_path} + NSudoLG.exe must exist in the specified path #{nsudo_path} prereq_command: | if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip" Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force - Rename-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}" + Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}" Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore + Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore executor: command: | Start-Process "#{nsudo_path}" -Argument "-U:T -P:E cmd"