Techniques
Sample rules
Arbitrary Binary Execution Using GUP Utility
- source: sigma
- technicques:
Description
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Detection logic
condition: selection and not 1 of filter*
filter:
CommandLine|contains: \Notepad++\notepad++.exe
Image|endswith: \explorer.exe
filter_null:
CommandLine: null
filter_parent:
ParentImage|contains: \Notepad++\updater\
selection:
Image|endswith: \explorer.exe
ParentImage|endswith: \gup.exe