Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Sigma rule (View on GitHub)

 1title: Arbitrary Binary Execution Using GUP Utility
 2id: d65aee4d-2292-4cea-b832-83accd6cfa43
 3status: test
 4description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
 5references:
 6    - https://twitter.com/nas_bench/status/1535322445439180803
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-06-10
 9modified: 2023-03-02
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        ParentImage|endswith: '\gup.exe'
18        Image|endswith: '\explorer.exe'
19    filter:
20        Image|endswith: '\explorer.exe'
21        CommandLine|contains: '\Notepad++\notepad++.exe'
22    filter_parent:
23        ParentImage|contains: '\Notepad++\updater\'
24    filter_null:
25        CommandLine: null
26    condition: selection and not 1 of filter*
27falsepositives:
28    - Other parent binaries using GUP not currently identified
29level: medium

References

Related rules

to-top