Notepad Chrysalis Backdoor Spawned Binaries Network Connections Correlation
Query
//Credit: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
//Credit to: Bartosz Turek
DeviceProcessEvents
| where TimeGenerated > todatetime('2025-06-01T00:00:00.00Z') // "The incident began from June 2025"
| where InitiatingProcessCommandLine startswith '"gup.exe"'
| project-reorder TimeGenerated, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine, SHA1, SHA256, MD5
| where FolderPath <> "C:\\Windows\\explorer.exe"
| where FolderPath <> "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
| distinct SHA256
| join (DeviceNetworkEvents
| where TimeGenerated > todatetime('2025-06-01T00:00:00.00Z'))
on $left.SHA256 == $right.InitiatingProcessSHA256Explanation
This KQL (Kusto Query Language) query is designed to investigate a potential security incident by analyzing device process and network events. Here's a simplified breakdown of what the query does:
-
Data Source: The query starts by examining the
DeviceProcessEventstable, which contains logs of processes that have run on devices. -
Time Filter: It filters the events to only include those generated after June 1, 2025, which is when the incident is believed to have started.
-
Process Filter: It looks for processes that were initiated with a command line starting with
"gup.exe", which might be a suspicious or targeted process in this context. -
Reordering Columns: The query rearranges the columns to prioritize certain fields like
TimeGenerated,DeviceName,ActionType, etc., for easier analysis. -
Exclusion of Specific Paths: It excludes any processes that have a
FolderPathof"C:\\Windows\\explorer.exe"or"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", likely because these are considered legitimate and not part of the incident. -
Unique Identifiers: It selects distinct
SHA256hashes of the processes, which are unique identifiers for the files involved. -
Joining with Network Events: The query then joins this filtered process data with the
DeviceNetworkEventstable, again filtering for events after June 1, 2025. It matches records where theSHA256hash from the process events corresponds to theInitiatingProcessSHA256in the network events.
Overall, this query is used to correlate process execution data with network activity to identify potentially malicious behavior related to the "gup.exe" process starting from June 2025, while excluding known safe processes.
Details

Jay Kerai
Released: February 3, 2026
Tables
Keywords
Operators