Which SIEM platforms have a CVE-2025-15556 detection rule?

df00tech provides CVE-2025-15556 (Notepad++ Download of Code Without Integrity Check (CVE-2025-15556)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) (CVE-2025-15556)?

Detecting Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel.

What severity and confidence is the CVE-2025-15556 detection?

The CVE-2025-15556 detection is rated high severity with medium confidence.

What are common false positives for CVE-2025-15556?

Common false positives for CVE-2025-15556 include: Legitimate Notepad++ auto-updates via GUP.exe connecting to official notepad-plus-plus.org endpoints; Administrators installing Notepad++ plugins manually via the built-in plugin manager; Security tools or antivirus software spawning processes in the context of Notepad++.

CVE-2025-15556 Detection: Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let NotepadPlusProcesses = DeviceProcessEvents
| where FileName =~ "notepad++.exe" or InitiatingProcessFileName =~ "notepad++.exe"
| project DeviceId, DeviceName, Timestamp, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
let NotepadPlusNetworkEvents = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where RemoteUrl !has "notepad-plus-plus.org" or ActionType == "ConnectionFailed"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
let SuspiciousFileWrites = DeviceFileEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where (FolderPath contains "\\plugins\\" or FolderPath contains "\\updater\\" or FolderPath endswith ".dll" or FolderPath endswith ".exe")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, SHA256, InitiatingProcessFileName;
let ChildProcesses = DeviceProcessEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where FileName !in~ ("notepad++.exe", "GUP.exe", "explorer.exe")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName;
union kind=outer NotepadPlusNetworkEvents, SuspiciousFileWrites, ChildProcesses
| summarize Count=count(), Events=make_set(pack("type", $left.RemoteUrl, "file", $left.FolderPath, "proc", $left.FileName), 10) by DeviceId, DeviceName, bin(Timestamp, 1h)
| where Count >= 1
| order by Timestamp desc

Detects suspicious behaviors associated with CVE-2025-15556: Notepad++ making unexpected network connections, writing DLL/EXE files to plugin or updater directories, and spawning unexpected child processes. These patterns indicate exploitation of the integrity-check bypass vulnerability.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate Notepad++ auto-updates via GUP.exe connecting to official notepad-plus-plus.org endpoints
Administrators installing Notepad++ plugins manually via the built-in plugin manager
Security tools or antivirus software spawning processes in the context of Notepad++
Corporate software deployment tools updating Notepad++ installations enterprise-wide

Splunk

spl

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=crowdstrike:events:sensor
| eval process_name=lower(coalesce(process_name, Image, ParentImage))
| eval parent_name=lower(coalesce(parent_process_name, ParentImage))
| where process_name="notepad++.exe" OR parent_name="notepad++.exe"
| eval event_type=case(
    EventCode=1 AND parent_name="notepad++.exe" AND process_name!="notepad++.exe" AND process_name!="gup.exe", "suspicious_child_process",
    EventCode=3 AND process_name="notepad++.exe", "network_connection",
    EventCode=11 AND (process_name="notepad++.exe") AND (match(TargetFilename, "(?i)\\plugins\\") OR match(TargetFilename, "(?i)\\updater\\") OR match(TargetFilename, "(?i)\.(dll|exe)$")), "file_write",
    true(), "other"
)
| where event_type IN ("suspicious_child_process", "network_connection", "file_write")
| stats count as event_count, values(event_type) as event_types, values(DestinationIp) as dest_ips, values(TargetFilename) as files_written, values(process_name) as child_procs by Computer, user, _time
| where event_count >= 1
| sort -_time

Detects Notepad++ exploitation indicators including unexpected child processes, network connections, and suspicious file writes to plugin or updater directories consistent with CVE-2025-15556 exploitation.

high severity medium confidence

Data Sources

Sysmon CrowdStrike Falcon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational crowdstrike:events:sensor

False Positives

Legitimate Notepad++ plugin installations through the official plugin manager
GUP.exe-based auto-updates connecting to official Notepad++ update servers
Enterprise patch management tools writing updated Notepad++ binaries
Security testing or red team exercises in authorized lab environments

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where process.name : "notepad++.exe" and event.type == "start"]
  [any where
    (
      /* Suspicious network connection from notepad++ */
      (event.category == "network" and process.name : "notepad++.exe" and
       not destination.domain : ("*.notepad-plus-plus.org", "notepad-plus-plus.org"))
      or
      /* Child process spawned by notepad++ */
      (event.category == "process" and process.parent.name : "notepad++.exe" and
       not process.name : ("notepad++.exe", "GUP.exe", "conhost.exe"))
      or
      /* File write to plugin or updater directory */
      (event.category == "file" and process.name : "notepad++.exe" and
       file.path : ("*\\plugins\\*", "*\\updater\\*") and
       file.extension : ("dll", "exe"))
    )
  ]

EQL sequence detection correlating Notepad++ process start with subsequent suspicious network connections, child process spawning, or plugin/updater directory file writes indicative of CVE-2025-15556 exploitation.

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Legitimate plugin manager operations downloading plugins from official sources
Auto-update mechanism (GUP.exe) performing standard version updates
Administrative scripting that invokes Notepad++ as a component
AV/EDR software intercepting Notepad++ file operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  sourceip,
  destinationip,
  destinationhostname,
  "Application",
  QIDNAME(qid) AS event_name,
  payload
FROM events
WHERE
  LOWER("Application") LIKE '%notepad++%'
  AND (
    (LOWER(category) = 'network connection' AND destinationhostname NOT LIKE '%notepad-plus-plus.org%')
    OR (LOWER(category) = 'process creation' AND "parentprocessname" LIKE '%notepad++.exe%' AND LOWER("Application") NOT IN ('notepad++.exe', 'gup.exe', 'conhost.exe'))
    OR (LOWER(category) = 'file created' AND ("targetfilepath" LIKE '%\plugins\%' OR "targetfilepath" LIKE '%\updater\%') AND ("targetfilepath" LIKE '%.dll' OR "targetfilepath" LIKE '%.exe'))
  )
  AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
LAST 24 HOURS

QRadar AQL query detecting Notepad++ making unauthorized network connections, spawning unexpected child processes, or writing executable files to plugin/updater directories as indicators of CVE-2025-15556 exploitation.

high severity medium confidence

Data Sources

QRadar SIEM Windows Event Logs Sysmon

Required Tables

events

False Positives

Legitimate plugin manager downloading approved plugins from known-good repositories
Authorized Notepad++ updates through enterprise software management
IT helpdesk manual plugin installations on user workstations
Security scanning tools that invoke Notepad++ during file analysis

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows/sysmon OR _sourceCategory=endpoint/crowdstrike
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "DestinationHostname" as dest_host nodrop
| json field=_raw "TargetFilename" as target_file nodrop
| where (toLowerCase(image) contains "notepad++.exe" or toLowerCase(parent_image) contains "notepad++.exe")
| eval suspicious_network = if(event_id="3" and toLowerCase(image) contains "notepad++.exe" and !matches(dest_host, ".*notepad-plus-plus\\.org.*"), 1, 0)
| eval suspicious_child = if(event_id="1" and toLowerCase(parent_image) contains "notepad++.exe" and !matches(toLowerCase(image), ".*(notepad\\+\\+|gup|conhost).*"), 1, 0)
| eval suspicious_file = if(event_id="11" and toLowerCase(image) contains "notepad++.exe" and (matches(target_file, "(?i).*\\\\plugins\\\\.*") or matches(target_file, "(?i).*\\\\updater\\\\.*")) and (matches(target_file, "(?i).*\\.(dll|exe)$")), 1, 0)
| where suspicious_network=1 or suspicious_child=1 or suspicious_file=1
| fields _sourceHost, _sourceCategory, event_id, image, parent_image, dest_host, target_file, suspicious_network, suspicious_child, suspicious_file
| sort by _messagetime desc

Sumo Logic query identifying Notepad++ suspicious behaviors including unauthorized outbound connections, unexpected child process execution, and DLL/EXE writes to sensitive directories consistent with CVE-2025-15556.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon via Sumo Logic collector

Required Tables

_sourceCategory=endpoint/windows/sysmon _sourceCategory=endpoint/crowdstrike

False Positives

Official Notepad++ plugin manager connecting to approved plugin repositories
Enterprise patch management systems performing Notepad++ updates
Developer toolchains that extend Notepad++ with custom plugins
Security product integrations that hook into Notepad++ process space

Google Chronicle / SecOps

yaral

rule cve_2025_15556_notepadplusplus_integrity_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2025-15556: Notepad++ download of code without integrity check"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-15556"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    (
      // Notepad++ spawning unexpected child processes
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
      and not re.regex($e1.target.process.file.full_path, `(?i)(notepad\+\+|GUP|conhost|cmd)\.exe`)
    )
    or
    (
      // Notepad++ making network connections to non-official hosts
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
      and not re.regex($e1.target.hostname, `(?i)(notepad-plus-plus\.org|localhost|127\.0\.0\.1)`)
    )
    or
    (
      // Notepad++ writing executables to plugin/updater directories
      $e1.metadata.event_type = "FILE_CREATION"
      and re.regex($e1.principal.process.file.full_path, `(?i)notepad\+\+\.exe`)
      and re.regex($e1.target.file.full_path, `(?i)(\\plugins\\|\\updater\\)`)
      and re.regex($e1.target.file.full_path, `(?i)\.(dll|exe)$`)
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting Notepad++ CVE-2025-15556 exploitation patterns: unauthorized child process spawning, network connections to non-official hosts, and executable file writes to plugin or updater directories.

high severity medium confidence

Data Sources

Google Chronicle CrowdStrike Falcon via Chronicle Sysmon via Chronicle

Required Tables

UDM Events

False Positives

Notepad++ plugin manager downloading plugins from community repositories with non-official domains
Enterprise software management tools launching processes in Notepad++ context
GUP.exe update connections to CDN endpoints not matching the exact notepad-plus-plus.org pattern
Developer extensions or automation scripts integrating with Notepad++

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, NetworkConnectIP4, NetworkConnectIP6, FileOpenInfo)
| ParentBaseFileName = "notepad++.exe" OR ImageFileName = "*notepad++.exe"
| eval event_category = case(
    #event_simpleName = "ProcessRollup2" AND ParentBaseFileName = "notepad++.exe" AND ImageFileName != "*notepad++.exe" AND ImageFileName != "*GUP.exe" AND ImageFileName != "*conhost.exe", "suspicious_child_process",
    #event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6") AND ImageFileName = "*notepad++.exe" AND RemoteAddressIP4 != "127.0.0.1", "suspicious_network",
    #event_simpleName = "FileOpenInfo" AND ImageFileName = "*notepad++.exe" AND (TargetFileName = "*\plugins\*" OR TargetFileName = "*\updater\*") AND (TargetFileName = "*.dll" OR TargetFileName = "*.exe"), "suspicious_file_write",
    true(), null
  )
| event_category != null
| stats count() as event_count, values(event_category) as categories, values(RemoteAddressIP4) as remote_ips, values(TargetFileName) as target_files, values(ImageFileName) as child_procs by ComputerName, UserName, aid
| sort -event_count

CrowdStrike Falcon NG-SIEM query detecting CVE-2025-15556 exploitation via Notepad++ suspicious child processes, unexpected network connections, and DLL/EXE writes to plugin or updater directories.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon NG-SIEM

Required Tables

ProcessRollup2 NetworkConnectIP4 NetworkConnectIP6 FileOpenInfo

False Positives

Authorized plugin installations via the Notepad++ plugin manager
Legitimate GUP.exe update process connecting to Notepad++ CDN infrastructure
Enterprise endpoint management solutions deploying Notepad++ plugin updates
Security tools instrumenting Notepad++ process for file integrity monitoring

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-15556 Notepad++ Download of Code Without Integrity Check (CVE-2025-15556)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-15556

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox