diff --git a/rules/windows/process_creation/proc_creation_win_tool_nsudo_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_nsudo_as_system.yml index df52cdf95..b4dfffeea 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nsudo_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nsudo_as_system.yml @@ -1,9 +1,10 @@ -title: NSudo Tool Execution As System +title: NSudo Tool Execution id: 771d1eb5-9587-4568-95fb-9ec44153a012 status: experimental description: Detects the use of NSudo tool for command execution -author: Florian Roth +author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 +modified: 2022/06/07 references: - https://nsudo.m2team.org/en-us/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -15,10 +16,46 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\NSudo.exe' - CommandLine|contains: ' -U:S ' - condition: selection + selection_img: + - Image|endswith: + - '\NSudo.exe' + - '\NSudoLC.exe' + - '\NSudoLG.exe' + - OriginalFileName: + - 'NSudo.exe' + - 'NSudoLC.exe' + - 'NSudoLG.exe' + selection_cli: + CommandLine|contains: + # Covers Single dash "-" + ":" + - ' -U:S ' # System + - ' -U:T ' # Trusted Installer + - ' -U:E ' # Elevated + - ' -P:E ' # Enable All Privileges + - ' -M:S ' # System Integrity + - ' -M:H ' # High Integrity + # Covers double "--" + ":" + - ' --U:S ' + - ' --U:T ' + - ' --U:E ' + - ' --P:E ' + - ' --M:S ' + - ' --M:H ' + # Covers Single dash "-" + "=" + - ' -U=S ' + - ' -U=T ' + - ' -U=E ' + - ' -P=E ' + - ' -M=S ' + - ' -M=H ' + # Covers double "--" + "=" + - ' --U=S ' + - ' --U=T ' + - ' --U=E ' + - ' --P=E ' + - ' --M=S ' + - ' --M=H ' + condition: all of selection* fields: - CommandLine - ParentCommandLine