Detectionmediumexperimental
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Feb 022074e137-1b73-4e2d-88ba-5a3407dbdce0windows
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query
DNS lookup events generated by endpoint monitoring tools.
Detection Logic
Detection Logic5 selectors
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
Other legitimate query to official domains not listed in the filter, needing tuning.
MITRE ATT&CK
Rule Metadata
Rule ID
2074e137-1b73-4e2d-88ba-5a3407dbdce0
Status
experimental
Level
medium
Type
Detection
Created
Mon Feb 02
Path
rules/windows/dns_query/dns_query_win_gup_query_to_uncommon_domains.yml
Raw Tags
attack.collectionattack.credential-accessattack.t1195.002attack.initial-accessattack.t1557