Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Sigma rule (View on GitHub)
1title: Arbitrary Binary Execution Using GUP Utility
2id: d65aee4d-2292-4cea-b832-83accd6cfa43
3status: test
4description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
5references:
6 - https://twitter.com/nas_bench/status/1535322445439180803
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-10
9modified: 2023-03-02
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\gup.exe'
18 Image|endswith: '\explorer.exe'
19 filter:
20 Image|endswith: '\explorer.exe'
21 CommandLine|contains: '\Notepad++\notepad++.exe'
22 filter_parent:
23 ParentImage|contains: '\Notepad++\updater\'
24 filter_null:
25 CommandLine: null
26 condition: selection and not 1 of filter*
27falsepositives:
28 - Other parent binaries using GUP not currently identified
29level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change