LoFP / other parent processes other than notepad++ using gup that are not currently identified

Techniques

t1105

Sample rules

File Download Using Notepad++ GUP Utility

source: sigma
technicques:
- t1105

Description

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Detection logic

condition: all of selection* and not filter
filter:
  ParentImage|endswith: \notepad++.exe
selection_cli:
  CommandLine|contains|all:
  - ' -unzipTo '
  - http
selection_img:
- Image|endswith: \GUP.exe
- OriginalFileName: gup.exe