Suspicious GUP Usage

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Sigma rule (View on GitHub)

 1title: Suspicious GUP Usage
 2id: 0a4f6091-223b-41f6-8743-f322ec84930b
 3status: test
 4description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
 7author: Florian Roth (Nextron Systems)
 8date: 2019-02-06
 9modified: 2022-08-13
10tags:
11    - attack.defense-evasion
12    - attack.t1574.002
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\GUP.exe'
19    filter_programfiles:
20        Image|endswith:
21            - '\Program Files\Notepad++\updater\GUP.exe'
22            - '\Program Files (x86)\Notepad++\updater\GUP.exe'
23    filter_user:
24        Image|contains: '\Users\'
25        Image|endswith:
26            - '\AppData\Local\Notepad++\updater\GUP.exe'
27            - '\AppData\Roaming\Notepad++\updater\GUP.exe'
28    condition: selection and not 1 of filter_*
29falsepositives:
30    - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
31level: high

References

APT10 Targets Japanese Corporations | UPPERCUT backdoor | Google Cloud Blog

APT10 targets the Japanese media sector with spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor.

Read More

Suspicious GUP Usage

Sigma rule (View on GitHub)

References

APT10 Targets Japanese Corporations | UPPERCUT backdoor | Google Cloud Blog

Related rules