Notepad++ Updater DNS Query to Uncommon Domains

Severity: medium
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1195.002` Supply Chain Compromise: Compromise Software Supply Chain
Credential Access	`T1557` Adversary-in-the-Middle
Collection	`T1557` Adversary-in-the-Middle

Event coverage

Provider	Event ID	Title
Sysmon	22	DNSEvent (DNS query)

Stages and Predicates

Stage 1: `selection`

Image|endswith: '\gup.exe'

Stage 2: `not 1 of filter_main_notepad_legit_domain`

QueryName: notepad-plus-plus.org

Stage 3: `not 1 of filter_optional_*`

or:
QueryName|endswith: .azurewebsites.net
QueryName|endswith: .githubusercontent.com
QueryName|endswith: .googleapis.com
QueryName|endswith: .sourceforge.net
QueryName|endswith: block.opendns.com
QueryName|endswith: gateway.zscalerthree.net
QueryName: github.com

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\gup.exe` corpus 3 (sigma 3)
`QueryName`	ends_with	`.azurewebsites.net` `.githubusercontent.com` `.googleapis.com` `.sourceforge.net` `block.opendns.com` `gateway.zscalerthree.net`
`QueryName`	eq	`github.com` `notepad-plus-plus.org`