legitimate use of custom plugins by users in order to enhance notepad++ functionalities

windows
sigma

Techniques

Sample rules

Potential Persistence Via Notepad++ Plugins

source: sigma
technicques:

Description

Detects creation of new “.dll” files inside the plugins directory of a notepad++ installation by a process other than “gup.exe”. Which could indicates possible persistence

Detection logic

condition: selection and not 1 of filter_*
filter_gup:
  Image|endswith: \Notepad++\updater\gup.exe
filter_install:
  Image|contains: \AppData\Local\Temp\
  Image|endswith:
  - \target.exe
  - Installer.x64.exe
  Image|startswith: C:\Users\
selection:
  TargetFilename|contains: \Notepad++\plugins\
  TargetFilename|endswith: .dll