diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml
new file mode 100644
index 00000000000..80b1c3e4e80
--- /dev/null
+++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml
@@ -0,0 +1,26 @@
+title: DNS Query Request To OneLaunch Update Service
+id: df68f791-ad95-447f-a271-640a0dab9cf8
+status: experimental
+description: |
+    Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
+    When the OneLaunch application is installed it will attempt to get updates from this domain.
+references:
+    - https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
+    - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
+    - https://malware.guide/browser-hijacker/remove-onelaunch-virus/
+author: Josh Nickels
+date: 2024/02/26
+tags:
+    - attack.collection
+    - attack.t1056
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName: 'update.onelaunch.com'
+        Image|endswith: '\OneLaunch.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: low