DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
Sigma rule (View on GitHub)
1title: DNS Query Request To OneLaunch Update Service
2id: df68f791-ad95-447f-a271-640a0dab9cf8
3status: test
4description: |
5 Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
6 When the OneLaunch application is installed it will attempt to get updates from this domain.
7references:
8 - https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
9 - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
10 - https://malware.guide/browser-hijacker/remove-onelaunch-virus/
11author: Josh Nickels
12date: 2024-02-26
13tags:
14 - attack.collection
15 - attack.t1056
16logsource:
17 category: dns_query
18 product: windows
19detection:
20 selection:
21 QueryName: 'update.onelaunch.com'
22 Image|endswith: '\OneLaunch.exe'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: low
References
Related rules
- Bitbucket Full Data Export Triggered
- Bitbucket Unauthorized Full Data Export Triggered
- Bitbucket User Details Export Attempt Detected
- WinDivert Driver Load
- Compressed File Creation Via Tar.EXE