some legitimate network misconfigurations or proxy issues causing unexpected dns queries.

t1195
t1195.002
t1557
windows
sigma

Techniques

t1195
t1195.002
t1557

Sample rules

Notepad++ Updater DNS Query to Uncommon Domains

source: sigma
technicques:
- t1195
- t1195.002
- t1557

Description

Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_notepad_legit_domain:
  QueryName: notepad-plus-plus.org
filter_optional_github_legit_domain:
- QueryName|endswith: .githubusercontent.com
- QueryName: github.com
filter_optional_google_storage_legit_domain:
  QueryName|endswith: .googleapis.com
filter_optional_sourceforge_legit_domain:
  QueryName|endswith: .sourceforge.net
selection:
  Image|endswith: \gup.exe