Detectionhighexperimental
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Feb 033b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic5 selectors
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
condition: selection and not 1 of filter_main_*False Positives
Custom or portable Notepad++ installations in non-standard directories.
Legitimate update processes creating temporary files in unexpected locations.
MITRE ATT&CK
Rule Metadata
Rule ID
3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
Status
experimental
Level
high
Type
Detection
Created
Tue Feb 03
Path
rules/windows/file/file_event/file_event_win_gup_uncommon_file_creation.yml
Raw Tags
attack.collectionattack.credential-accessattack.t1195.002attack.initial-accessattack.t1557