Adversaries may use Notepad++ plugins to establish persistence by embedding malicious code within legitimate scripting environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert persistence mechanisms that evade traditional detection methods.
Detection Rule
title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Notepad++\plugins\'
TargetFilename|endswith: '.dll'
filter_gup:
Image|endswith: '\Notepad++\updater\gup.exe'
filter_install:
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\target.exe'
- 'Installer.x64.exe'
filter_main_installer:
Image|contains: '\npp.'
Image|endswith: '.exe'
TargetFilename:
- 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
- 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
- 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
- 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Possible FPs during first installation of Notepad++
- Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium
imFileEvent
| where (TargetFileName contains "\\Notepad++\\plugins\\" and TargetFileName endswith ".dll") and (not((TargetFilePath endswith "\\Notepad++\\updater\\gup.exe" or (TargetFilePath startswith "C:\\Users\\" and TargetFilePath contains "\\AppData\\Local\\Temp\\" and (TargetFilePath endswith "\\target.exe" or TargetFilePath endswith "Installer.x64.exe")) or (TargetFilePath contains "\\npp." and TargetFilePath endswith ".exe" and (TargetFileName in~ ("C:\\Program Files\\Notepad++\\plugins\\NppExport\\NppExport.dll", "C:\\Program Files\\Notepad++\\plugins\\mimeTools\\mimeTools.dll", "C:\\Program Files\\Notepad++\\plugins\\NppConverter\\NppConverter.dll", "C:\\Program Files\\Notepad++\\plugins\\Config\\nppPluginList.dll"))))))Scenario: A system administrator is using Notepad++ to edit a scheduled task script (e.g., .bat or .ps1 file) as part of routine maintenance.
Filter/Exclusion: Check for the presence of known scheduled task file extensions (e.g., .bat, .vbs, .ps1) in the file path or content.
Scenario: A developer is using Notepad++ with the NppExec plugin to run a build script or CI/CD pipeline configuration file (e.g., build.bat, pipeline.ps1).
Filter/Exclusion: Exclude files that contain known CI/CD keywords (e.g., ci, cd, pipeline, build) in the file name or content.
Scenario: An IT support technician is using Notepad++ to create a registry backup file (e.g., regbackup.reg) as part of a system snapshot or disaster recovery process.
Filter/Exclusion: Exclude files with the .reg extension or containing the word registry in the file name or content.
Scenario: A DevOps engineer is using Notepad++ with the Plugin Manager to install or update plugins, which temporarily creates temporary files in the Notepad++ plugin directory.
Filter/Exclusion: Exclude files created in the Notepad++ plugin directory (e.g., C:\Users\<User>\AppData\Roaming\Notepad++\plugins) or with temporary file extensions (e.g., .tmp, .bak).
Scenario: A system administrator is using Notepad++ to create a configuration file for a legitimate service (e.g., nginx.conf, apache2.conf) that is then deployed to a server.
**Filter/Ex