LoFP / execution of tools named gup.exe and located in folders different than notepad++\updater

Techniques

Sample rules

Suspicious GUP Usage

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Detection logic

condition: selection and not 1 of filter_*
filter_programfiles:
  Image|endswith:
  - \Program Files\Notepad++\updater\GUP.exe
  - \Program Files (x86)\Notepad++\updater\GUP.exe
filter_user:
  Image|contains: \Users\
  Image|endswith:
  - \AppData\Local\Notepad++\updater\GUP.exe
  - \AppData\Roaming\Notepad++\updater\GUP.exe
selection:
  Image|endswith: \GUP.exe