Add Notepad++ hunting queries

[stanfrbd]

Hello,
I found a lot of KQL queries for Notepad++ incident but no CQL.
I may implement them, but if someone was faster please let me know :)

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

https://socradar.io/blog/notepad-infrastructure-hijacked/

https://medium.com/capturedsignal/notepad-security-incident-threat-hunting-using-kql-and-defender-for-endpoint-logs-dd83b984fcc6 => lots of KQL

[stefansec]

Hi @stanfrbd,

We’d definitely appreciate any CQL contributions you come up with, feel free to open a PR if you implement some of the KQL hunts in CQL.

On our side, we’re currently testing a few existing / adapted CQL queries around the Notepad++ incident and related infrastructure. We’re also keeping an eye on community intel, including the CrowdStrike subreddit and threads like this one:
https://www.reddit.com/r/crowdstrike/comments/1qv0zvr/hunting_potentially_compromised_notepad_installs/

Thanks again for jumping on this!

[Aamir-Muhammad]

i have issued Notepad++ threat hutning query, you are more than welcome to post / use it.