File Download Using Notepad++ GUP Utility

About the rule

Rule Type

Standard

Rule Description

gup.exe is the “Generic Updater” utility bundled with Notepad++ and is responsible for downloading and installing updates for Notepad++. While it serves a legitimate function, attackers may exploit gup.exe to download arbitrary files, payloads, or malicious executables by supplying crafted command-line arguments or manipulating update configurations. This rule is designed to detect suspicious file download activity initiated through gup.exe—such as connections to untrusted or non-Notepad++ domains, downloading files with executable extensions, or unexpected invocation patterns.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Misuse of gup.exe for file download → Impact

Impact

• Defense evasion
• Unauthorized file download
• Malware delivery or execution
• Data exfiltration

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Ingress Tool Transfer (T1105)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of suspicious file download activity initiated by Notepad++’s gup.exe utility, such as connections to atypical domains, or attempts to download and execute files outside of official update channels. This enables you to review file download sources, analyze gup.exe invocation context, and promptly identify or remediate unauthorized use of this updater utility.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule may trigger during legitimate Notepad++ self-updates or when administrators deploy manual updates using gup.exe. Review the download URL, file type, and update context to validate legitimacy.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update allowlists for sanctioned update sources, strengthen detection analytics for updater abuse, and maintain ongoing monitoring for similar behaviors.

Mitigation