Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Sigma rule (View on GitHub)
1title: Arbitrary Binary Execution Using GUP Utility
2id: d65aee4d-2292-4cea-b832-83accd6cfa43
3status: test
4description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
5references:
6 - https://twitter.com/nas_bench/status/1535322445439180803
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/10
9modified: 2023/03/02
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\gup.exe'
18 Image|endswith: '\explorer.exe'
19 filter:
20 Image|endswith: '\explorer.exe'
21 CommandLine|contains: '\Notepad++\notepad++.exe'
22 filter_parent:
23 ParentImage|contains: '\Notepad++\updater\'
24 filter_null:
25 CommandLine: null
26 condition: selection and not 1 of filter*
27falsepositives:
28 - Other parent binaries using GUP not currently identified
29level: medium
References
Related rules
- Application Removed Via Wmic.EXE
- Arbitrary File Download Via MSPUB.EXE
- Cmd.EXE Missing Space Characters Execution Anomaly
- Computer System Reconnaissance Via Wmic.EXE
- HackTool - Jlaive In-Memory Assembly Execution