Detect Notepad++ Download of Code Without Integrity Check (CVE-2025-15556) in Splunk
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=crowdstrike:events:sensor
| eval process_name=lower(coalesce(process_name, Image, ParentImage))
| eval parent_name=lower(coalesce(parent_process_name, ParentImage))
| where process_name="notepad++.exe" OR parent_name="notepad++.exe"
| eval event_type=case(
EventCode=1 AND parent_name="notepad++.exe" AND process_name!="notepad++.exe" AND process_name!="gup.exe", "suspicious_child_process",
EventCode=3 AND process_name="notepad++.exe", "network_connection",
EventCode=11 AND (process_name="notepad++.exe") AND (match(TargetFilename, "(?i)\\plugins\\") OR match(TargetFilename, "(?i)\\updater\\") OR match(TargetFilename, "(?i)\.(dll|exe)$")), "file_write",
true(), "other"
)
| where event_type IN ("suspicious_child_process", "network_connection", "file_write")
| stats count as event_count, values(event_type) as event_types, values(DestinationIp) as dest_ips, values(TargetFilename) as files_written, values(process_name) as child_procs by Computer, user, _time
| where event_count >= 1
| sort -_timeDetects Notepad++ exploitation indicators including unexpected child processes, network connections, and suspicious file writes to plugin or updater directories consistent with CVE-2025-15556 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Notepad++ plugin installations through the official plugin manager
- GUP.exe-based auto-updates connecting to official Notepad++ update servers
- Enterprise patch management tools writing updated Notepad++ binaries
- Security testing or red team exercises in authorized lab environments
Other platforms for CVE-2025-15556
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Notepad++ Downloading Unsigned DLL via HTTP
Expected signal: Sysmon Event ID 3 (network connection from notepad++.exe to non-official IP), Sysmon Event ID 11 (file creation in plugins directory with .dll extension), EDR network connection alert
- Test 2Notepad++ Plugin Directory DLL Drop
Expected signal: Sysmon Event ID 11 for file creation in Notepad++ plugins directory with .dll extension; EDR file creation alert
- Test 3Notepad++ Spawning Unexpected Child Process
Expected signal: Sysmon Event ID 1 showing cmd.exe with Notepad++ as parent process; EDR process lineage alert; command line captured in telemetry
Unlock Pro Content
Get the full detection package for CVE-2025-15556 including response playbook, investigation guide, and atomic red team tests.