Notepad++ update hijacking

-

Notepad ++ update infrastructure has been hijacked. A summary of IOCs searches




We have started this week with a very bad case. The hack of Notepad++.

If you don't know what is Notepad++, or don't see how critical such attack is, please move forward, and take some courses. Because, yes, this is a supply chain attack. One of the most dangerous attack an organization could suffer. Whatever is your level of security, if a trusted source, partner, provider etc is compromised, it becomes very hard to ensure the integrity of your infrastructure. We must in such case apply a zero trust logic, and the principles of Defense in Depth. In this case, it is actually worst, it is a 2 levels supply chain attack. The attackers compromised the notepad++'s provider hosting infrastructure, which was then used to compromise users of notepad++.

This post is written on Feb 3rd, at 11.00AM UTC+1. So all the information present here, are based on what is available at this time.

What happened ?

Quick summary of the initial incident from my understanding, based on the already published information.

The former hosting infrastructure of NPP used to update the client was compromised. How ? we don't really know yet. The threat actor, which seems to be a Chinese state sponsored actor, was able to redirect the update package download from NPP updater (gup.exe) to a malicious package. They did exploit a vulnerability in the update process, in which the updater did not validate the legitimacy of the update package (hash, signature, certificate etc). The target was selected by the threat actor on unknown criteria's.

What is the issue for you?

The incident started in June 2025 and lasted up to December 2025.

The log retention of a mature infrastructure mainly lead to have infrastructure level logs for this period, while endpoint logs (EDR/XDR) are most of the time shorter. So finding trace of the malicious actor starts to become complex.

But that's not all. We have almost no IOCs to search for. When the alert was triggered on Monday morning, my team and me was looking for... we did not know.

The previous legit packages of NPP was signed with a self signed certificate. We had the hashes of the legit installers we have collected from the official website, but no hashes of the running processes. The installer is downloaded only on installation. If it was a malicious one, it would have been 6 months ago.

Monday afternoon, Rapid7 has published a blog article, providing payload and infrastructure analysis with some IOCs. Are those IOCs exhaustive, we don't know. But it is a starting point.

Let's consider that you have a properly secured infrastructure. Which means :

-A proxy, mandatory for any internet access, or at least an URL filtering at your boundaries, with SSL inspection, and full details logs. So you have the user-agent, the filenames, the hash of downloaded files, the full URI etc

-A sufficient log retention for your proxy logs, and firewall logs.

-An EDR. In my case, we'll do the searches in MS Defender for Endpoint, which brings me the limit of 30 days hot logs. 😭

I share with you my elements, my searches.


Extracted IOCs from multiple sources

payloads SHA256

"8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",
"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",
"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",
"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",
"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",
"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",
"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",
"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",
"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",
"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",
"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a",
"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",
"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",
"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",
"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",
"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",
"c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6",
"36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1",
"4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566",
-----------------------------

KQL :


Search for ProcessEvents matching the hashes



DeviceProcessEvents
| where SHA256 in ("8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",
"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",
"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",
"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",
"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",
"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",
"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",
"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",
"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",
"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",
"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a",
"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",
"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",
"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",
"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",
"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",
"c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6",
"36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1",
"4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566",)


Search for FileEvents matching the hashes


DeviceFileEvents
| where SHA256 in ("8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",
"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",
"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",
"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",
"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",
"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",
"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",
"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",
"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",
"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",
"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a",
"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",
"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",
"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",
"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",
"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",
"c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6",
"36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1",
"4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566",)

Proxy : search for those hashes in your proxy logs. This depends on your log format, and logging tool.

Payloads filename

  • update.exe // excluded due to FP
  • [NSIS.nsi]
  • [NSIS].nsi
  • BluetoothService.exe
  • BluetoothService
  • log.dll
  • u.bat
  • conf.c
  • libtcc.dll
  • admin // excluded due to FP
  • loader1
  • uffhxpSy
  • loader2
  • 3yzr31vk
  • ConsoleApplication2.exe
  • system // excluded due to FP
  • s047t5g.exe
-----------------------------

KQL : Search for matching filename. Unfortunately, we had to exclude 3 of it due to large amount of false positive.

DeviceFileEvents
| where FileName in (
//"update.exe",
"[NSIS].nsi",
"BluetoothService.exe",
"BluetoothService",
"log.dll",
"u.bat",
"conf.c",
"libtcc.dll",
//"admin",
"loader1",
"uffhxpSy",
"loader2",
"3yzr31vk",
"ConsoleApplication2.exe",
//"system",
"s047t5g.exe")


Proxy : do the same with your proxy logs, depends on your logging system and log format.

Network

  • api.skycloudcenter.com
  • 59.110.7.32:8880
  • 124.222.137.114:9999
  • api.wiresguard.com
  • 61.4.102.97
  • 95.179.213.0
  • cdncheck.it.com
  • self-dns.it.com
  • safe-dns.it.com
  • temp.sh
  • 45.76.155.202
  • 45.77.31.210
Search for IP and Hostname in your proxy logs and firewall logs, depends on your logging system and log format

KQL

Search for known IOCs:

DeviceNetworkEvents
| where RemoteIP in ("59.110.7.32","124.222.137.114","61.4.102.97","95.179.213.0","45.76.155.202","45.77.31.210") or RemoteUrl has_any("cdncheck.it.com","self-dns.it.com","safe-dns.it.com","api.wiresguard.com","api.skycloudcenter.com","temp.sh")

but, we have got a different approach, searching for anything not matching legit network connectivity


DeviceNetworkEvents
| where InitiatingProcessFileName == "GUP.exe" or InitiatingProcessFileName == "gup.exe"
| where ActionType != "ListeningConnectionCreated"
| where RemoteIP !="127.0.0.1"
| where RemoteUrl !in ("https://notepad-plus-plus.org","notepad-plus-plus.org", "release-assets.githubusercontent.com","https://release-assets.githubusercontent.com","https://github.com","github.com")
| where not (InitiatingProcessCommandLine contains "https://notepad-plus-plus.org/update/getDownloadUrl.php" and InitiatingProcessCommandLine contains "https://github.com/notepad-plus-plus/notepad-plus-plus/")

User agent

  • "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36",
  • "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36",
  • "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
Search for it in your proxy logs. Depends on your logging system and log format.
If you have matches, double check the destination domain and IP.


Path

  • C:\ProgramData\USOShared\
  • %APPDATA%\Roaming\Bluetooth\
  • %appdata%\ProShow\load

-----------------------------

KQL :

search for FileEvents matching the suspicious folder path:
DeviceFileEvents
| where FolderPath contains "C:\\ProgramData\\USOShared" or ((FolderPath contains "appdata" or FolderPath contains "APPDATA") and (FolderPath contains "\\Roaming\\Bluetooth" or FolderPath contains "ProShow"))

search for ProcessEvent matching the suspicious folder path:

DeviceProcessEvents
| where FolderPath contains "C:\\ProgramData\\USOShared" or ((FolderPath contains "appdata" or FolderPath contains "APPDATA") and (FolderPath contains "\\Roaming\\Bluetooth" or FolderPath contains "ProShow"))


Some additional searches


Search for suspicious process created by gup.exe.


-searching for any process created by gup.exe, excluding the legit installers hashes.




DeviceProcessEvents
| where InitiatingProcessCommandLine startswith '"gup.exe"'
| where SHA256 !in ("95049a673d2e498077046714a0723791826daa5f97b4914ceb621afea4137a68",
"73c5902a9eace229d519ec6362dbb8e39b44ffc9078584f535671be6d368981f",
"8e22725756fa567c86170d3601228bbe623b9c5b0c4846c546318efd2ac8a6e3",
"76e63d28e91d3aa176e49b89d8d862a45260c55ebf606eba741b6eb85d6a7b6b",
"72ea3fa91e6bde264be6dfff75a30f15cb0fc43d9884ed4491b16ea4a3a37d9d",
"a14919060ef3cfe9d451a515f9780c1b9101ead1cede6d61ca241e970ac164d2",
"4d313e1903c594d66214d749b5b9dbf1c454180e14bccf9b9c565f55e4c1d1ae",
"017100b1694d55b950f2236746093c20fdb6006a0b691c88ae0f21f351c081c3",
"0ba83b48a3461e5ae22830e900835407ab452107732ab9be7b1e4f134d643522",
"f2d53031fc3039015aa7c34298298b638e96877390d600f31ef7569ee98319a3",
"b82530d4af21c7fcceda0c5dcea81aacbaeefdfd7aca7119045f8db376614bf0",
"9e5166e2f954e1b25116893862971dd4ad95fa78026f9f1829e01e1fd0cca7c8",
"2de4dda71d00730844974774c2c64ccc7caa57a35de4eec3d82abdf7e506c8d2",
"ef4824323c499c133f3a4397c146954c398d0b381eff86f4559dd579d070b266",
"71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d",
"2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928",
"95e0884b5189c40e0e683a402a5fcfa19cad69bad68ebff545a0f2043c655ea6",
"7c0e2bf947100fdae4c8b199b0f9eceae852b74d2cd3447d55f10315201bc773",
"9efbbc9a75ea2db490103f9cdaed8ab2ba886f1d631c06100e92316711be5758",
"97beb2cd8214f08a030aee0d5afcd410162d99673619bdf22012766bfeff2cc6",
"a5767dc1924e3252d8044221f7e0979588b331e62ac28c22a799b528dc353bc2",
"277ebcbe690e868a050784be127178e6cf5e9dbb181731f2b92dfdbcfd42ca20",
"4ecd2ab6285066d5158f60c8ca3d99b3817bd66dc394c3f51b20d0a232b5af65",
"f86ac130feb3c63659c8ae113f51c0cda74338732999386f82b095f9e1f95906",
"4db7d6ae535eb6315e1005137344664cab341555ada9b073644bdea53070e628",
"2755917bc52bde476305cd442f91a8e3966e4d199d3b2b584211c4ff674e2c7b",
"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",
"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",
"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",
"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",
"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",
"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",
"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",
"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",
"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",
"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",
"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",
"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",
"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",
"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",
"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",
"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",
"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",
"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",
"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",
"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",
"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",
"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",
"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",
"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",
"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",
"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",
"337bef6f2d6473062afef3c3c027a24887278fbe2753c0964efb692518264e2a",
"61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082",
"49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a",
"4824db4c50bdc0dcca2db4fca67aa3e7235060fb794761ea143c21e1136ef63c",
"88405138ea0afcd92f372ef2342761b79506589249432ef2bed42d539a99a670",
"eff5b83aa6af84d6f3fec8ce942805ec3e1e049cde5f04bc0fdaed27d2a0e5e2",
"1ef313b6520b7b207e51ee5d7b0a85e4e71241bad7d7800ab52cd8084f5cda47",
"0657588bdd69bac2ea420aa3147f0b6079d5e9728b6f5d972796c312264f51bb",
"f05411befd0aa4ba5f8362ceb4a1d6466c012f3329b1ec16bdc5a5a7d6b24f23",
"70a5ddb9edb8e87f469bfd6933867ae7820594dde7fe7eab682c81b1cbfd699d",
"92c017802cd6918b0c3f3de1feeb8790e559978ca817b699f446c8464b3c962f",
"2c80ad3d6d9f77c87e1243526a7907fb244aae45fa87f6bffaadbc7c0563a24b",
"8c9f5521774fe22b695df52b0d22c2dd06f5cdd68bad9f826058b038bf612f4c",
"32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb",
"8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744",
"79a3922dd444c6e10542d7cc42633baf51f8900f989d38df8661760ccbc9a2ab",
"d2e5536c2f78327181caed22ee3cb4bbd4722f2b8b4e0576c1dbcc2fed4649b4",
"0d3334121e3d531f473ee66eff759e6be5851a91e269650b1fe4fc21665a70a1",
"c2bc87f6d37f02ebef0cbdfc2ebcd355ad1a3d14edebe795b4318897cf8751cc",
"e21071fa2823c92f83d6e4a3cca164b47c3aa43213baa1accc17a460484e0aee",
"850dd98eb813934b05b12f2a27e66c4776059f97175f36691c35624bfd58464c",
"1640a5dd716052821b990faaee1df720a4c6f982fda3860e792b341d5917c352",
"cd4a9f4162c01ef8ceb4f7cc0405d427657f87f6115eab2e1186c6f7d27e3a33",
"97f92119fe0decae3754fe442f296f51205909e37c4677ee2458d31e35dbbd38",
"9e3d7a56c194cd1a1de22cfc3b1cc6893edc3e00657c6249e973b692bea970fd",
"05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5",
"c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb",
"374b9e6548a574c9dd6b5a8bea50b14f1e26fea9aec28f60c3700e5a4c2bcfe1",
"cf2390328d7c8c7089bd8436d8a8a8d2c7a79893e9af4e260d86cb2c77df3875",
"0d08f428ac33235f6f8b694b9c9967023f222a22542e2a5c9ffc2a595f3f9a4a",
"4c39fb2fda14a1babccac65513d3ef3d919c29d9f8a40fd285e76283becd51f3",
"97b7c8c37a4daff1c87956b614de44a57fd12bee9a2b3c889e6dee216444d454",
"e49625d1b030d952af4b5bff84d87d7eee0f0da054082432b7a30801cc7a2421",
"591f2fb7e48ffbc0e3bb781c2a3fde7632fded09faf5c1084e3d74634335189f",
"372bd3a9b15566af7793df86212a5c213739bd57e1b09ab007a1e00ce4de555b",
"a08a9e4d6a3610f11f1961c4c07bd0ad85b04a47aa46d96b684ac5d2a63237f5",
"45ccf07041b98ee6516a205f87ac2ca571da147ff0541e05edca1c2decda1cd9",
"179613870a9ffc646b77918701481c8ffdae1c82e06cbc7ea7d42af3d1c9e5e2",
"49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf",
"653766823529776e8b4ceee051a8a987f700de62767bd34b4a6709991b019644",
"26e480873fc2bdf39eaedf936bcaae75430089d802381abad2589060c0ef703d",
"ae1875370fc357e9db15807c12ae78a5dcfffd5e0416f2db10ff29036069d85a",
"6a12436a1923df22aa5281169d27f04d4453042bef1641eb301a0845d570cf22",
"f7e142f0be7bb15801078311629b265f72e96942a9891e398ce3fd1ead841c63",
"cd1e3863452cb6ce28749d9f0c18eb258672ba625571e0e7bb20088947988b36",
"6c999c2b2e2dd99886bb390ea463d0bf758a343ddd416e9097f265786031a881",
"5506079a5b372524f72a31ed6df807fe866681262cc8084965d092b02cd72945",
"03d154b8aaa8c51883d03c9a4e530412ee9669ab9efa761a1739603ae755c8d3",
"5c310edfff1c6beb117f173cb59e27a6f589aaecbb6dd5312d5f6f69877a44f9",
"e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1",
"7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd",
"2a480885cea729fc3a9b2e7ff28945b0570da6ad59a4046159bda9be76a8e453",
"1976a4f473ca8025572652542c28ec80226d503c6fc5187e31ee826f9947bff1",
"bbe1761c26529cff1bf82a8b50e19c309cd2629fea568605733755e03660f6c8",
"099e160fc980b693d0f8178ae079d80173876c36285f064b1c67c25988c81ea9",
"47e6dc4b4362cc727a1a89a021d3529dbcb9c6645fa6c3af3b5d88d2187bcb6e",
"fb006e93b68815fa06d55eb65370cb819cc9281403ff53bf879c3335bc2582ce",
"8d9f7962ed248b61de44d6b45f2954b02742744456ca6faea843dd2ed461e57e",
"8f4541f624d078175977b96d049e4591afdd9defd4227d594c9a1fdb73ead421",
"ecaea0b9a8a99d6a8d60f4010b7a52aa29a70ac963399db1106978161e03b242",
"85ea19609edb04ba320380fe81cde1e236a495633ba72c74734022d96efc8e1c",
"69020ccd2dae9cc6c613460f41884a29d4c7bf21cc55e09a559cb4afdea47e0c",
"06c42ea6edbbc2c1ffa74d5c3355ced51616896f41aee66372bfb55eb54ae68f",
"e800e62c4eae095d47259111e953c618f09fe69fa4584db63ea220e095900c0a",
"e3ead074b4052966f98f6d95291dd86dd877bd1b5a94aacdd384b499a89e3127",
"88c77fe2cac787de88ac6d0bbf39c529303c9d8982bdbfb72db6a08a400203fe",
"dd03354d4fe0ea2136bbb0bfa256198e44d68d68f82f015d44cd9072483c8bfa",
"19c4bf99be07a08365888c78fee938524fba35337c661c25bec5b2150d4b46b1",
"02914d44dbec415178cf51ddbe7997b681bd976949c0ddb5bce5c85113cd348d",
"b297bac59da6c814ee6f950597041bbaba6a7e2943396bc1c7c4e90e8d0cb4db",
"f52767b8082b0ce6600eec1a36e9157c346fcf60c16cee059d18f30bf56dc17e",
"96d39a00d8264ba652a519063313cf3f9f3a1e6cb99f74c7e9c3cecd9ffae989",
"3e1b4bf90d1a12fe7743784fdf79136a41ed3cf5d74283512e6de71eff21b8bd")
| project-reorder Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine

Search for suspicious process correlated with network event

DeviceProcessEvents
| where InitiatingProcessCommandLine startswith '"gup.exe"'
| project-reorder Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine, SHA1, SHA256, MD5
| where FolderPath <> "C:\\Windows\\explorer.exe"
| where FolderPath <> "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
| distinct SHA256
| join (DeviceNetworkEvents)
on $left.SHA256 == $right.InitiatingProcessSHA256

Search for file created by gup.exe, excluding known legit installers

DeviceFileEvents
| where InitiatingProcessCommandLine startswith '"gup.exe"'
| where SHA256 !in ("95049a673d2e498077046714a0723791826daa5f97b4914ceb621afea4137a68",
"73c5902a9eace229d519ec6362dbb8e39b44ffc9078584f535671be6d368981f",
"8e22725756fa567c86170d3601228bbe623b9c5b0c4846c546318efd2ac8a6e3",
"76e63d28e91d3aa176e49b89d8d862a45260c55ebf606eba741b6eb85d6a7b6b",
"72ea3fa91e6bde264be6dfff75a30f15cb0fc43d9884ed4491b16ea4a3a37d9d",
"a14919060ef3cfe9d451a515f9780c1b9101ead1cede6d61ca241e970ac164d2",
"4d313e1903c594d66214d749b5b9dbf1c454180e14bccf9b9c565f55e4c1d1ae",
"017100b1694d55b950f2236746093c20fdb6006a0b691c88ae0f21f351c081c3",
"0ba83b48a3461e5ae22830e900835407ab452107732ab9be7b1e4f134d643522",
"f2d53031fc3039015aa7c34298298b638e96877390d600f31ef7569ee98319a3",
"b82530d4af21c7fcceda0c5dcea81aacbaeefdfd7aca7119045f8db376614bf0",
"9e5166e2f954e1b25116893862971dd4ad95fa78026f9f1829e01e1fd0cca7c8",
"2de4dda71d00730844974774c2c64ccc7caa57a35de4eec3d82abdf7e506c8d2",
"ef4824323c499c133f3a4397c146954c398d0b381eff86f4559dd579d070b266",
"71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d",
"2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928",
"95e0884b5189c40e0e683a402a5fcfa19cad69bad68ebff545a0f2043c655ea6",
"7c0e2bf947100fdae4c8b199b0f9eceae852b74d2cd3447d55f10315201bc773",
"9efbbc9a75ea2db490103f9cdaed8ab2ba886f1d631c06100e92316711be5758",
"97beb2cd8214f08a030aee0d5afcd410162d99673619bdf22012766bfeff2cc6",
"a5767dc1924e3252d8044221f7e0979588b331e62ac28c22a799b528dc353bc2",
"277ebcbe690e868a050784be127178e6cf5e9dbb181731f2b92dfdbcfd42ca20",
"4ecd2ab6285066d5158f60c8ca3d99b3817bd66dc394c3f51b20d0a232b5af65",
"f86ac130feb3c63659c8ae113f51c0cda74338732999386f82b095f9e1f95906",
"4db7d6ae535eb6315e1005137344664cab341555ada9b073644bdea53070e628",
"2755917bc52bde476305cd442f91a8e3966e4d199d3b2b584211c4ff674e2c7b",
"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",
"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",
"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",
"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",
"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",
"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",
"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",
"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",
"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",
"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",
"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",
"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",
"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",
"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",
"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",
"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",
"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",
"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",
"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",
"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",
"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",
"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",
"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",
"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",
"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",
"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",
"337bef6f2d6473062afef3c3c027a24887278fbe2753c0964efb692518264e2a",
"61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082",
"49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a",
"4824db4c50bdc0dcca2db4fca67aa3e7235060fb794761ea143c21e1136ef63c",
"88405138ea0afcd92f372ef2342761b79506589249432ef2bed42d539a99a670",
"eff5b83aa6af84d6f3fec8ce942805ec3e1e049cde5f04bc0fdaed27d2a0e5e2",
"1ef313b6520b7b207e51ee5d7b0a85e4e71241bad7d7800ab52cd8084f5cda47",
"0657588bdd69bac2ea420aa3147f0b6079d5e9728b6f5d972796c312264f51bb",
"f05411befd0aa4ba5f8362ceb4a1d6466c012f3329b1ec16bdc5a5a7d6b24f23",
"70a5ddb9edb8e87f469bfd6933867ae7820594dde7fe7eab682c81b1cbfd699d",
"92c017802cd6918b0c3f3de1feeb8790e559978ca817b699f446c8464b3c962f",
"2c80ad3d6d9f77c87e1243526a7907fb244aae45fa87f6bffaadbc7c0563a24b",
"8c9f5521774fe22b695df52b0d22c2dd06f5cdd68bad9f826058b038bf612f4c",
"32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb",
"8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744",
"79a3922dd444c6e10542d7cc42633baf51f8900f989d38df8661760ccbc9a2ab",
"d2e5536c2f78327181caed22ee3cb4bbd4722f2b8b4e0576c1dbcc2fed4649b4",
"0d3334121e3d531f473ee66eff759e6be5851a91e269650b1fe4fc21665a70a1",
"c2bc87f6d37f02ebef0cbdfc2ebcd355ad1a3d14edebe795b4318897cf8751cc",
"e21071fa2823c92f83d6e4a3cca164b47c3aa43213baa1accc17a460484e0aee",
"850dd98eb813934b05b12f2a27e66c4776059f97175f36691c35624bfd58464c",
"1640a5dd716052821b990faaee1df720a4c6f982fda3860e792b341d5917c352",
"cd4a9f4162c01ef8ceb4f7cc0405d427657f87f6115eab2e1186c6f7d27e3a33",
"97f92119fe0decae3754fe442f296f51205909e37c4677ee2458d31e35dbbd38",
"9e3d7a56c194cd1a1de22cfc3b1cc6893edc3e00657c6249e973b692bea970fd",
"05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5",
"c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb",
"374b9e6548a574c9dd6b5a8bea50b14f1e26fea9aec28f60c3700e5a4c2bcfe1",
"cf2390328d7c8c7089bd8436d8a8a8d2c7a79893e9af4e260d86cb2c77df3875",
"0d08f428ac33235f6f8b694b9c9967023f222a22542e2a5c9ffc2a595f3f9a4a",
"4c39fb2fda14a1babccac65513d3ef3d919c29d9f8a40fd285e76283becd51f3",
"97b7c8c37a4daff1c87956b614de44a57fd12bee9a2b3c889e6dee216444d454",
"e49625d1b030d952af4b5bff84d87d7eee0f0da054082432b7a30801cc7a2421",
"591f2fb7e48ffbc0e3bb781c2a3fde7632fded09faf5c1084e3d74634335189f",
"372bd3a9b15566af7793df86212a5c213739bd57e1b09ab007a1e00ce4de555b",
"a08a9e4d6a3610f11f1961c4c07bd0ad85b04a47aa46d96b684ac5d2a63237f5",
"45ccf07041b98ee6516a205f87ac2ca571da147ff0541e05edca1c2decda1cd9",
"179613870a9ffc646b77918701481c8ffdae1c82e06cbc7ea7d42af3d1c9e5e2",
"49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf",
"653766823529776e8b4ceee051a8a987f700de62767bd34b4a6709991b019644",
"26e480873fc2bdf39eaedf936bcaae75430089d802381abad2589060c0ef703d",
"ae1875370fc357e9db15807c12ae78a5dcfffd5e0416f2db10ff29036069d85a",
"6a12436a1923df22aa5281169d27f04d4453042bef1641eb301a0845d570cf22",
"f7e142f0be7bb15801078311629b265f72e96942a9891e398ce3fd1ead841c63",
"cd1e3863452cb6ce28749d9f0c18eb258672ba625571e0e7bb20088947988b36",
"6c999c2b2e2dd99886bb390ea463d0bf758a343ddd416e9097f265786031a881",
"5506079a5b372524f72a31ed6df807fe866681262cc8084965d092b02cd72945",
"03d154b8aaa8c51883d03c9a4e530412ee9669ab9efa761a1739603ae755c8d3",
"5c310edfff1c6beb117f173cb59e27a6f589aaecbb6dd5312d5f6f69877a44f9",
"e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1",
"7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd",
"2a480885cea729fc3a9b2e7ff28945b0570da6ad59a4046159bda9be76a8e453",
"1976a4f473ca8025572652542c28ec80226d503c6fc5187e31ee826f9947bff1",
"bbe1761c26529cff1bf82a8b50e19c309cd2629fea568605733755e03660f6c8",
"099e160fc980b693d0f8178ae079d80173876c36285f064b1c67c25988c81ea9",
"47e6dc4b4362cc727a1a89a021d3529dbcb9c6645fa6c3af3b5d88d2187bcb6e",
"fb006e93b68815fa06d55eb65370cb819cc9281403ff53bf879c3335bc2582ce",
"8d9f7962ed248b61de44d6b45f2954b02742744456ca6faea843dd2ed461e57e",
"8f4541f624d078175977b96d049e4591afdd9defd4227d594c9a1fdb73ead421",
"ecaea0b9a8a99d6a8d60f4010b7a52aa29a70ac963399db1106978161e03b242",
"85ea19609edb04ba320380fe81cde1e236a495633ba72c74734022d96efc8e1c",
"69020ccd2dae9cc6c613460f41884a29d4c7bf21cc55e09a559cb4afdea47e0c",
"06c42ea6edbbc2c1ffa74d5c3355ced51616896f41aee66372bfb55eb54ae68f",
"e800e62c4eae095d47259111e953c618f09fe69fa4584db63ea220e095900c0a",
"e3ead074b4052966f98f6d95291dd86dd877bd1b5a94aacdd384b499a89e3127",
"88c77fe2cac787de88ac6d0bbf39c529303c9d8982bdbfb72db6a08a400203fe",
"dd03354d4fe0ea2136bbb0bfa256198e44d68d68f82f015d44cd9072483c8bfa",
"19c4bf99be07a08365888c78fee938524fba35337c661c25bec5b2150d4b46b1",
"02914d44dbec415178cf51ddbe7997b681bd976949c0ddb5bce5c85113cd348d",
"b297bac59da6c814ee6f950597041bbaba6a7e2943396bc1c7c4e90e8d0cb4db",
"f52767b8082b0ce6600eec1a36e9157c346fcf60c16cee059d18f30bf56dc17e",
"96d39a00d8264ba652a519063313cf3f9f3a1e6cb99f74c7e9c3cecd9ffae989",
"3e1b4bf90d1a12fe7743784fdf79136a41ed3cf5d74283512e6de71eff21b8bd")
| project-reorder Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine

Antivirus blocked action

DeviceEvents
| where FileName =~ "GUP.exe" or InitiatingProcessFileName =~ "gup.exe"
| where ActionType == "AppControlExecutableBlocked" or ActionType == "AntivirusReport"

Conclusion


Here we have a perfect example of the logic of defense in depth. The infrastructure logs are not enought to detect all cases, as the endpoint logs are not enough neither.

But, we can directly see the impact of badly secured infrastructure. Without SSL inspection at the proxy level, you don't get the full uri, user-agent, filename, file hash from proxy logs.

With only a simple url filtering on a firewall, you loose a lot of information.

The importance of the logging system, log retention, parsing of logs, and search capabilities is critical in such case.

We encounter a very problematic limit of log retention on solutions like MS Defender.
While in our case, our proxy logs are very complete, we can search in it. But... we have 1.5To/day of proxy logs. Doing a 6 month search in a such volume takes ages.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog