PUA - NSudo Execution

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
Source: upstream

Detects the use of NSudo tool for command execution

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1569.002` System Services: Service Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\NSudo.exe'
Image|endswith: '\NSudoLC.exe'
Image|endswith: '\NSudoLG.exe'
OriginalFileName: NSudo.exe
OriginalFileName: NSudoLC.exe
OriginalFileName: NSudoLG.exe

Stage 2: `all of selection_cli`

or:
CommandLine|contains: '-M:H '
CommandLine|contains: '-M:S '
CommandLine|contains: '-M=H '
CommandLine|contains: '-M=S '
CommandLine|contains: '-P:E '
CommandLine|contains: '-P=E '
CommandLine|contains: '-ShowWindowMode:Hide'
CommandLine|contains: '-U:E '
CommandLine|contains: '-U:S '
CommandLine|contains: '-U:T '
CommandLine|contains: '-U=E '
CommandLine|contains: '-U=S '
CommandLine|contains: '-U=T '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-M:H` `-M:S` `-M=H` `-M=S` `-P:E` `-P=E` `-ShowWindowMode:Hide` `-U:E` `-U:S` `-U:T` `-U=E` `-U=S` `-U=T`
`Image`	ends_with	`\NSudo.exe` `\NSudoLC.exe` `\NSudoLG.exe`
`OriginalFileName`	eq	`NSudo.exe` `NSudoLC.exe` `NSudoLG.exe`