Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in Microsoft Sentinel
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
let NotepadPlusProcesses = DeviceProcessEvents
| where FileName =~ "notepad++.exe" or InitiatingProcessFileName =~ "notepad++.exe"
| project DeviceId, DeviceName, Timestamp, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
let NotepadPlusNetworkEvents = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where RemoteUrl !has "notepad-plus-plus.org" or ActionType == "ConnectionFailed"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
let SuspiciousFileWrites = DeviceFileEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where (FolderPath contains "\\plugins\\" or FolderPath contains "\\updater\\" or FolderPath endswith ".dll" or FolderPath endswith ".exe")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, SHA256, InitiatingProcessFileName;
let ChildProcesses = DeviceProcessEvents
| where InitiatingProcessFileName =~ "notepad++.exe"
| where FileName !in~ ("notepad++.exe", "GUP.exe", "explorer.exe")
| project DeviceId, DeviceName, Timestamp, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName;
union kind=outer NotepadPlusNetworkEvents, SuspiciousFileWrites, ChildProcesses
| summarize Count=count(), Events=make_set(pack("type", $left.RemoteUrl, "file", $left.FolderPath, "proc", $left.FileName), 10) by DeviceId, DeviceName, bin(Timestamp, 1h)
| where Count >= 1
| order by Timestamp descDetects suspicious behaviors associated with CVE-2025-15556: Notepad++ making unexpected network connections, writing DLL/EXE files to plugin or updater directories, and spawning unexpected child processes. These patterns indicate exploitation of the integrity-check bypass vulnerability.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Notepad++ auto-updates via GUP.exe connecting to official notepad-plus-plus.org endpoints
- Administrators installing Notepad++ plugins manually via the built-in plugin manager
- Security tools or antivirus software spawning processes in the context of Notepad++
- Corporate software deployment tools updating Notepad++ installations enterprise-wide
Other platforms for CVE-2025-15556
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP
Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert
- Test 2Notepad++ Plugin Directory DLL Drop
Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert
- Test 3Notepad++ Spawning Unexpected Child Process
Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry
Unlock Pro Content
Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.