Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Sigma rule (View on GitHub)
1title: Suspicious GUP Usage
2id: 0a4f6091-223b-41f6-8743-f322ec84930b
3status: test
4description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
5references:
6 - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
7author: Florian Roth (Nextron Systems)
8date: 2019/02/06
9modified: 2022/08/13
10tags:
11 - attack.defense_evasion
12 - attack.t1574.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\GUP.exe'
19 filter_programfiles:
20 Image|endswith:
21 - '\Program Files\Notepad++\updater\GUP.exe'
22 - '\Program Files (x86)\Notepad++\updater\GUP.exe'
23 filter_user:
24 Image|contains: '\Users\'
25 Image|endswith:
26 - '\AppData\Local\Notepad++\updater\GUP.exe'
27 - '\AppData\Roaming\Notepad++\updater\GUP.exe'
28 condition: selection and not 1 of filter_*
29falsepositives:
30 - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
31level: high
References
Related rules
- Fax Service DLL Search Order Hijack
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Xwizard DLL Sideloading
- UAC Bypass With Fake DLL