sigmamediumHunting

Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Detection Query

selection:
  ParentImage|endswith: \gup.exe
  Image|endswith: \explorer.exe
filter:
  Image|endswith: \explorer.exe
  CommandLine|contains: \Notepad++\notepad++.exe
filter_parent:
  ParentImage|contains: \Notepad++\updater\
filter_null:
  CommandLine: null
condition: selection and not 1 of filter*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-06-10

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://twitter.com/nas_bench/status/1535322445439180803

Tags

attack.execution

Raw Content

title: Arbitrary Binary Execution Using GUP Utility
id: d65aee4d-2292-4cea-b832-83accd6cfa43
status: test
description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
references:
    - https://twitter.com/nas_bench/status/1535322445439180803
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\gup.exe'
        Image|endswith: '\explorer.exe'
    filter:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '\Notepad++\notepad++.exe'
    filter_parent:
        ParentImage|contains: '\Notepad++\updater\'
    filter_null:
        CommandLine: null
    condition: selection and not 1 of filter*
falsepositives:
    - Other parent binaries using GUP not currently identified
level: medium