Suspicious ClipUp Execution with Windows Defender Path

Rule Info

Name
Suspicious ClipUp Execution with Windows Defender Path
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious execution of ClipUp.exe with parameters that may indicate an attempt to write to Windows Defender protected locations. ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
Reference
https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
Date
2026-01-29 00:00:00
Modified
None
Id
35be9b70-5f4e-4e2a-8f3c-7bdae30c7c4f
Tags
attack.defense-evasion attack.persistence attack.t1218 attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022