Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in CrowdStrike LogScale
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
LogScale Detection Query
#event_simpleName IN (ProcessRollup2, NetworkConnectIP4, NetworkConnectIP6, FileOpenInfo)
| ParentBaseFileName = "notepad++.exe" OR ImageFileName = "*notepad++.exe"
| eval event_category = case(
#event_simpleName = "ProcessRollup2" AND ParentBaseFileName = "notepad++.exe" AND ImageFileName != "*notepad++.exe" AND ImageFileName != "*GUP.exe" AND ImageFileName != "*conhost.exe", "suspicious_child_process",
#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6") AND ImageFileName = "*notepad++.exe" AND RemoteAddressIP4 != "127.0.0.1", "suspicious_network",
#event_simpleName = "FileOpenInfo" AND ImageFileName = "*notepad++.exe" AND (TargetFileName = "*\plugins\*" OR TargetFileName = "*\updater\*") AND (TargetFileName = "*.dll" OR TargetFileName = "*.exe"), "suspicious_file_write",
true(), null
)
| event_category != null
| stats count() as event_count, values(event_category) as categories, values(RemoteAddressIP4) as remote_ips, values(TargetFileName) as target_files, values(ImageFileName) as child_procs by ComputerName, UserName, aid
| sort -event_countCrowdStrike Falcon NG-SIEM query detecting CVE-2025-15556 exploitation via Notepad++ suspicious child processes, unexpected network connections, and DLL/EXE writes to plugin or updater directories.
Data Sources
Required Tables
False Positives & Tuning
- Authorized plugin installations via the Notepad++ plugin manager
- Legitimate GUP.exe update process connecting to Notepad++ CDN infrastructure
- Enterprise endpoint management solutions deploying Notepad++ plugin updates
- Security tools instrumenting Notepad++ process for file integrity monitoring
Other platforms for CVE-2025-15556
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP
Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert
- Test 2Notepad++ Plugin Directory DLL Drop
Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert
- Test 3Notepad++ Spawning Unexpected Child Process
Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry
Unlock Pro Content
Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.