Potential Notepad Markdown RCE Exploitation

  1[metadata]
  2creation_date = "2026/02/16"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/03/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a
 11Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-windows.sysmon_operational-*"
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential Notepad Markdown RCE Exploitation"
 24note = """## Triage and analysis
 25
 26### Investigating Potential Notepad Markdown RCE Exploitation
 27
 28This rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file.
 29This behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content
 30triggers unintended process execution.
 31
 32### Possible investigation steps
 33
 34- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process.
 35- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`.
 36- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share).
 37- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity.
 38- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior.
 39- Determine whether the child process and its execution path are expected in your environment.
 40
 41### False positive analysis
 42
 43- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows.
 44- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior.
 45- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths.
 46
 47### Response and remediation
 48
 49- Isolate affected endpoints until scope is understood.
 50- Terminate suspicious child and descendant processes initiated from `notepad.exe`.
 51- Quarantine and preserve the triggering Markdown file for forensic analysis.
 52- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns).
 53- Patch Windows/Notepad to the latest security update level addressing the vulnerability.
 54- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems.
 55"""
 56references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841"]
 57risk_score = 73
 58rule_id = "7f3521dd-fb80-4548-a7eb-8db37b898dc2"
 59severity = "high"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Execution",
 65    "Data Source: Elastic Endgame",
 66    "Data Source: Elastic Defend",
 67    "Data Source: Microsoft Defender for Endpoint",
 68    "Data Source: Sysmon",
 69    "Data Source: SentinelOne",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "eql"
 74
 75query = '''
 76process where host.os.type == "windows" and event.type == "start" and
 77  process.parent.name : "notepad.exe" and process.parent.args : "*.md" and
 78  not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe"
 79'''
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84
 85[[rule.threat.technique]]
 86id = "T1203"
 87name = "Exploitation for Client Execution"
 88reference = "https://attack.mitre.org/techniques/T1203/"
 89
 90[[rule.threat.technique]]
 91id = "T1204"
 92name = "User Execution"
 93reference = "https://attack.mitre.org/techniques/T1204/"
 94
 95[[rule.threat.technique.subtechnique]]
 96id = "T1204.002"
 97name = "Malicious File"
 98reference = "https://attack.mitre.org/techniques/T1204/002/"
 99
100[rule.threat.tactic]
101id = "TA0002"
102name = "Execution"
103reference = "https://attack.mitre.org/tactics/TA0002/"