Suspicious File Creation by Clipup in Windows Defender Directory

Rule Info

Name
Suspicious File Creation by Clipup in Windows Defender Directory
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects file creation by Clipup.exe in the Windows Defender program files directory. ClipUp.exe may be used to overwrite the service executable of Windows Defender, potentially allowing an attacker to disable or manipulate Windows Defender.
Reference
https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
Date
2026-01-29 00:00:00
Modified
None
Id
c46c2dde-7ad4-4c6c-89e2-eb1cd34faa14
Tags
attack.defense-impairment attack.t1685
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022