Potential Notepad Markdown RCE Exploitation

 1[metadata]
 2creation_date = "2026/02/16"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2026/02/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a
11Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.
12"""
13from = "now-9m"
14index = [
15    "endgame-*",
16    "logs-endpoint.events.process-*",
17    "logs-m365_defender.event-*",
18    "logs-sentinel_one_cloud_funnel.*",
19    "logs-windows.sysmon_operational-*"
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Notepad Markdown RCE Exploitation"
24note = """## Triage and analysis
25
26### Investigating Potential Notepad Markdown RCE Exploitation
27
28This rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file.
29This behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content
30triggers unintended process execution.
31
32### Possible investigation steps
33
34- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process.
35- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`.
36- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share).
37- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity.
38- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior.
39- Determine whether the child process and its execution path are expected in your environment.
40
41### False positive analysis
42
43- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows.
44- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior.
45- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths.
46
47### Response and remediation
48
49- Isolate affected endpoints until scope is understood.
50- Terminate suspicious child and descendant processes initiated from `notepad.exe`.
51- Quarantine and preserve the triggering Markdown file for forensic analysis.
52- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns).
53- Patch Windows/Notepad to the latest security update level addressing the vulnerability.
54- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems.
55"""
56references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841"]
57risk_score = 73
58rule_id = "7f3521dd-fb80-4548-a7eb-8db37b898dc2"
59severity = "high"
60tags = [
61    "Domain: Endpoint",
62    "OS: Windows",
63    "Use Case: Threat Detection",
64    "Tactic: Execution",
65    "Data Source: Elastic Endgame",
66    "Data Source: Elastic Defend",
67    "Data Source: Microsoft Defender for Endpoint",
68    "Data Source: Sysmon",
69    "Data Source: SentinelOne",
70    "Resources: Investigation Guide",
71]
72timestamp_override = "event.ingested"
73type = "eql"
74
75query = '''
76process where host.os.type == "windows" and event.type == "start" and
77  process.parent.name : "notepad.exe" and process.parent.args : "*.md"
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1203"
85name = "Exploitation for Client Execution"
86reference = "https://attack.mitre.org/techniques/T1203/"
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"