legitimate update processes creating temporary files in unexpected locations.

t1195
t1195.002
t1557
windows
sigma

Techniques

t1195
t1195.002
t1557

Sample rules

Uncommon File Created by Notepad++ Updater Gup.EXE

source: sigma
technicques:
- t1195
- t1195.002
- t1557

Description

Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_paths:
  TargetFilename|startswith:
  - C:\Program Files\Notepad++\
  - C:\Program Files (x86)\Notepad++\
filter_main_recycle_bin:
  TargetFilename|startswith: C:\$Recycle.Bin\S-1-5-21
filter_main_temp_generic_zip:
  TargetFilename|contains|all:
  - \AppData\Local\Temp\
  - .zip
  TargetFilename|startswith: C:\Users\
filter_main_temp_update_installer:
  TargetFilename|contains|all:
  - \AppData\Local\Temp\
  - npp.
  - .Installer.
  - .exe
  TargetFilename|startswith: C:\Users\
selection:
  Image|endswith: \gup.exe