Sigma rules for CVE-2023-7261
5 rules · scoped to cve · back to CVE-2023-7261
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
- attack.initial-access
- attack.persistence
- attack.t1133
logsource:
category: registry_set
product: windows
detection:
chrome_ext:
TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
TargetObject|endswith: 'update_url'
chrome_vpn:
TargetObject|contains:
- fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
- fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
- bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
- gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
- jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
- gjknjjomckknofjidppipffbpoekiipm # VPN Free
- nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
- kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
- nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
- omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
- bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
- mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
- jljopmgdobloagejpohpldgkiellmfnc # PP VPN
- lochiccbgeohimldjooaakjllnafhaid # IP Unblock
- nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
- ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
- namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
- nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
- majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
- lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
- eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
- cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
- foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
- hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
- jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
- inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
- higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
- hipncndjamdcmphkgngojegjblibadbe # RusVPN
- iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
- nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
- jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
- fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
- ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
- keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
- hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
- poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
- dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
- kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
- klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
- lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
- pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
- jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
- jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
- hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
- ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
- kcndmbbelllkmioekdagahekgimemejo # VPN.AC
- jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
- bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
- ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
- oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
- bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
- knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
- dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
- jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
- mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
- omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
- npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
- akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
- gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
- aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
- cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
- ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
- ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
- jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
- apcfdffemoinopelidncddjbhkiblecc # Soul VPN
- mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
- oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
- plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
- mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
- bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
- aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
- lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
- knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
- bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
- edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
- eidnihaadmmancegllknfbliaijfmkgo # Push VPN
- ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
- macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
- chioafkonnhbpajpengbalkececleldf # BullVPN
- amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
- llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
- pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
- iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
- igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
- njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
- ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
- kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
- bnijmipndnicefcdbhgcjoognndbgkep # Veee
- lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
- dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
- egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
- ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
- bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
- almalgbpmcfpdaopimbdchdliminoign # Urban Shield
- akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
- gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
- bniikohfmajhdcffljgfeiklcbgffppl # Upnet
- lejgfmmlngaigdmmikblappdafcmkndb # uVPN
- ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
- gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
- pooljnboifbodgifngpppfklhifechoe # GeoProxy
- fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
- aakchaleigkohafkfjfjbblobjifikek # ProxFlow
- dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
- padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
- bfidboloedlamgdmenmlbipfnccokknp # PureVPN
condition: all of chrome_*
falsepositives:
- Unknown
level: high
title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
- https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\chrome_frame_helper.dll'
filter_main_path:
ImageLoaded|startswith:
- 'C:\Program Files\Google\Chrome\Application\'
- 'C:\Program Files (x86)\Google\Chrome\Application\'
filter_optional_user_path:
ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
filter_main_plugins:
- TargetFilename|contains:
- '\plugins\JsonTools\testfiles\'
- '\Notepad++\plugins\ComparePlugin\'
- TargetFilename|contains|all:
- 'npp.'
- '.portable.'
- '\plugins\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Custom or portable Notepad++ installations in non-standard directories.
- Legitimate update processes creating temporary files in unexpected locations.
level: high
title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\gup.exe'
selection_child_img:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
selection_child_cli:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'finger'
- 'forfiles'
- 'regsvr32'
- 'rundll32'
- 'wget'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries