Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Sigma rule (View on GitHub)
1title: Suspicious GUP Usage
2id: 0a4f6091-223b-41f6-8743-f322ec84930b
3status: test
4description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
5references:
6 - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
7author: Florian Roth (Nextron Systems)
8date: 2019-02-06
9modified: 2022-08-13
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.stealth
15 - attack.t1574.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\GUP.exe'
22 filter_programfiles:
23 Image|endswith:
24 - '\Program Files\Notepad++\updater\GUP.exe'
25 - '\Program Files (x86)\Notepad++\updater\GUP.exe'
26 filter_user:
27 Image|contains: '\Users\'
28 Image|endswith:
29 - '\AppData\Local\Notepad++\updater\GUP.exe'
30 - '\AppData\Roaming\Notepad++\updater\GUP.exe'
31 condition: selection and not 1 of filter_*
32falsepositives:
33 - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
34level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation