Detectionmediumtest
Potential Persistence Via Notepad++ Plugins
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Jun 10Updated Mon Sep 0154127bd4-f541-4ac3-afdb-ea073f63f692windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic4 selectors
detection:
selection:
TargetFilename|contains: '\Notepad++\plugins\'
TargetFilename|endswith: '.dll'
filter_gup:
Image|endswith: '\Notepad++\updater\gup.exe'
filter_install:
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\target.exe'
- 'Installer.x64.exe'
filter_main_installer:
Image|contains: '\npp.'
Image|endswith: '.exe'
TargetFilename:
- 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
- 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
- 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
- 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
condition: selection and not 1 of filter_*False Positives
Possible FPs during first installation of Notepad++
Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
54127bd4-f541-4ac3-afdb-ea073f63f692
Status
test
Level
medium
Type
Detection
Created
Fri Jun 10
Modified
Mon Sep 01
Path
rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
Raw Tags
attack.persistence