Potential Persistence Via Notepad++ Plugins
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Sigma rule (View on GitHub)
1title: Potential Persistence Via Notepad++ Plugins
2id: 54127bd4-f541-4ac3-afdb-ea073f63f692
3status: test
4description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
5references:
6 - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/10
9modified: 2023/01/05
10tags:
11 - attack.persistence
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename|contains: '\Notepad++\plugins\'
18 TargetFilename|endswith: '.dll'
19 filter_gup:
20 Image|endswith: '\Notepad++\updater\gup.exe'
21 filter_install:
22 # This filter is for Sigma dataset you could remove it or change when using the rule in your own env
23 Image|startswith: 'C:\Users\'
24 Image|contains: '\AppData\Local\Temp\'
25 Image|endswith:
26 - '\target.exe'
27 - 'Installer.x64.exe'
28 condition: selection and not 1 of filter_*
29falsepositives:
30 - Possible FPs during first installation of Notepad++
31 - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
32level: medium
References
-
It is not uncommon a windows environment especially dedicated servers which are managed by developers or IT staff to have installed the Notepad++ text editor. Except of the storage of scripts and a…
Read More
Related rules
- Linux Webshell Indicators
- Persistence Via Sudoers Files
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential RipZip Attack on Startup Folder
- Potential Suspicious Activity Using SeCEdit