Detectionmediumtest
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Jun 10Updated Thu Mar 02d65aee4d-2292-4cea-b832-83accd6cfa43windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection:
ParentImage|endswith: '\gup.exe'
Image|endswith: '\explorer.exe'
filter:
Image|endswith: '\explorer.exe'
CommandLine|contains: '\Notepad++\notepad++.exe'
filter_parent:
ParentImage|contains: '\Notepad++\updater\'
filter_null:
CommandLine: null
condition: selection and not 1 of filter*False Positives
Other parent binaries using GUP not currently identified
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
d65aee4d-2292-4cea-b832-83accd6cfa43
Status
test
Level
medium
Type
Detection
Created
Fri Jun 10
Modified
Thu Mar 02
Path
rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml
Raw Tags
attack.execution