KQL Search

Query Details

HomeAI ToolsDevice Query

Notepad Chrysalis Backdoor Gupexe Detection

Query

// Reference: https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6
//Credit goes to Bartosz Turek
let AllowedRemoteUrls = dynamic([  
    "notepad-plus-plus.org",  
    "github.com",  // assumption that malware was not hosted on github
    ".githubusercontent.com", // assumption that malware was not hosted on github
    "sourceforge.net",  //assumption that malware was not hosted on sourceforge
    "globalsign.com" // cert signing logs
]);  
DeviceNetworkEvents
| where TimeGenerated > todatetime('2025-06-01T00:00:00.00Z') // "The incident began from June 2025"
| where InitiatingProcessCommandLine startswith '"gup.exe"'
| where not(RemoteUrl has_any (AllowedRemoteUrls))  
| where RemoteIPType <> "Loopback"
| where isnotempty( RemoteIP)
| extend IPGeoLocation = geo_info_from_ip_address(RemoteIP) // adding geolocation context
| extend RemoteIPLocation = tostring(IPGeoLocation.country)
| project-reorder TimeGenerated, DeviceName, ActionType, InitiatingProcessCommandLine, InitiatingProcessFolderPath, RemoteIP, RemoteUrl, RemoteIPLocation, RemotePort

Explanation

This KQL (Kusto Query Language) query is designed to help identify potentially suspicious network activity related to a security incident that began in June 2025. Here's a simplified breakdown of what the query does:

  1. Allowed Remote URLs: It defines a list of URLs that are considered safe or allowed. These include URLs like "notepad-plus-plus.org", "github.com", and others where it's assumed that malware is not hosted.

  2. Filter by Date: It looks at network events that occurred after June 1, 2025.

  3. Filter by Process: It specifically focuses on network events initiated by a process with the command line starting with "gup.exe".

  4. Exclude Allowed URLs: It filters out any network events where the remote URL is in the list of allowed URLs, focusing only on those not in the list.

  5. Exclude Loopback IPs: It excludes any events where the remote IP type is "Loopback", which is typically used for internal communications within the same machine.

  6. Check for Non-Empty IPs: It ensures that the remote IP field is not empty, meaning there is an actual external IP involved.

  7. Add Geolocation: It adds geolocation information to the remote IP to provide context about where the connection is coming from, specifically the country.

  8. Reorder Columns: Finally, it rearranges the columns in the output to prioritize certain fields like the time of the event, device name, action type, and details about the initiating process and remote connection.

Overall, this query is used to identify potentially malicious network activity by filtering out known safe connections and focusing on unusual or unexpected connections initiated by a specific process.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 3, 2026

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimeGeneratedInitiatingProcessCommandLineRemoteUrlRemoteIPTypeRemoteIPIPGeoLocationRemoteIPLocationRemotePortDeviceNameActionTypeInitiatingProcessFolderPath

Operators

letdynamicwheretodatetimestartswithnothas_any<>isnotemptyextendgeo_info_from_ip_addresstostringproject-reorder

Actions