Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules

swachchhanda000 · nasbench · phantinuss · web-flow · commit 76f4a42ebb46 · 2026-02-04T12:08:03.000+01:00
new: Notepad++ Updater DNS Query to Uncommon Domains
new: Uncommon File Created by Notepad++ Updater Gup.EXE
new: Suspicious Child Process of Notepad++ Updater - GUP.Exe

---------

Co-authored-by: nasbench &lt;nbencher@cisco.com&gt;
Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;
diff --git a/rules/windows/dns_query/dns_query_win_gup_query_to_uncommon_domains.yml b/rules/windows/dns_query/dns_query_win_gup_query_to_uncommon_domains.yml
@@ -0,0 +1,41 @@
+title: Notepad++ Updater DNS Query to Uncommon Domains
+id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
+status: experimental
+description: |
+    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
+    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
+references:
+    - https://notepad-plus-plus.org/news/v889-released/
+    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
+    - https://securelist.com/notepad-supply-chain-attack/118708/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-02
+tags:
+    - attack.collection
+    - attack.credential-access
+    - attack.t1195.002
+    - attack.initial-access
+    - attack.t1557
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\gup.exe'
+    filter_main_notepad_legit_domain:
+        QueryName: 'notepad-plus-plus.org'
+    filter_optional_sourceforge_legit_domain:
+        QueryName|endswith: '.sourceforge.net'
+    filter_optional_github_legit_domain:
+        - QueryName|endswith: '.githubusercontent.com'
+        - QueryName: 'github.com'
+    filter_optional_google_storage_legit_domain:
+        QueryName|endswith: '.googleapis.com'
+    # Add other known legitimate domains if any
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
+    - Other legitimate query to official domains not listed in the filter, needing tuning.
+level: medium # can be upgraded to high after tuning with known legitimate DNS queries
diff --git a/rules/windows/file/file_event/file_event_win_gup_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_gup_uncommon_file_creation.yml
@@ -0,0 +1,49 @@
+title: Uncommon File Created by Notepad++ Updater Gup.EXE
+id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
+status: experimental
+description: |
+    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
+    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
+references:
+    - https://notepad-plus-plus.org/news/v889-released/
+    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
+    - https://securelist.com/notepad-supply-chain-attack/118708/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-03
+tags:
+    - attack.collection
+    - attack.credential-access
+    - attack.t1195.002
+    - attack.initial-access
+    - attack.t1557
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\gup.exe'
+    filter_main_legit_paths:
+        TargetFilename|startswith:
+            - 'C:\Program Files\Notepad++\'
+            - 'C:\Program Files (x86)\Notepad++\'
+    filter_main_temp_update_installer:
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|contains|all:
+            - '\AppData\Local\Temp\'
+            - 'npp.'
+            - '.Installer.'
+            - '.exe'
+    filter_main_temp_generic_zip:
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|contains|all:
+            - '\AppData\Local\Temp\'
+            - '.zip'
+    filter_main_recycle_bin:
+        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Custom or portable Notepad++ installations in non-standard directories.
+    - Legitimate update processes creating temporary files in unexpected locations.
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_gup_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_gup_susp_child_process.yml
@@ -0,0 +1,48 @@
+title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
+id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
+status: experimental
+description: |
+    Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
+    This could indicate potential exploitation of the updater component to deliver unwanted malware.
+references:
+    - https://notepad-plus-plus.org/news/v889-released/
+    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
+    - https://securelist.com/notepad-supply-chain-attack/118708/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-03
+tags:
+    - attack.collection
+    - attack.credential-access
+    - attack.t1195.002
+    - attack.initial-access
+    - attack.t1557
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\gup.exe'
+    selection_child_img:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+            - '\mshta.exe'
+    selection_child_cli:
+        CommandLine|contains:
+            - 'bitsadmin'
+            - 'certutil'
+            - 'curl'
+            - 'finger'
+            - 'forfiles'
+            - 'regsvr32'
+            - 'rundll32'
+            - 'wget'
+    condition: selection_parent and 1 of selection_child_*
+falsepositives:
+    - Unlikely
+level: high
