Sigma rules for CVE-2007-5198
1 rules · scoped to cve · back to CVE-2007-5198
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Notepad++\plugins\'
TargetFilename|endswith: '.dll'
filter_gup:
Image|endswith: '\Notepad++\updater\gup.exe'
filter_install:
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\target.exe'
- 'Installer.x64.exe'
filter_main_installer:
Image|contains: '\npp.'
Image|endswith: '.exe'
TargetFilename:
- 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
- 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
- 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
- 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Possible FPs during first installation of Notepad++
- Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium