EXPLORE
Sign In
← Back to Explore
elastichighTTP

Potential Notepad Markdown RCE Exploitation

Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.

MITRE ATT&CK

T1203T1204T1204.002
execution

Detection Query

process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "notepad.exe" and process.parent.args : "*.md" and
  not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe"

Author

Elastic

Created

2026/02/16

Data Sources

Elastic EndgameElastic DefendMicrosoft Defender for EndpointSysmonSentinelOneendgame-*logs-endpoint.events.process-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-windows.sysmon_operational-*

References

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExecutionData Source: Elastic EndgameData Source: Elastic DefendData Source: Microsoft Defender for EndpointData Source: SysmonData Source: SentinelOneResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/02/16"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
description = """
Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a
Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.
"""
from = "now-9m"
index = [
    "endgame-*",
    "logs-endpoint.events.process-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-windows.sysmon_operational-*"
]
language = "eql"
license = "Elastic License v2"
name = "Potential Notepad Markdown RCE Exploitation"
note = """## Triage and analysis

### Investigating Potential Notepad Markdown RCE Exploitation

This rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file.
This behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content
triggers unintended process execution.

### Possible investigation steps

- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process.
- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`.
- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share).
- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity.
- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior.
- Determine whether the child process and its execution path are expected in your environment.

### False positive analysis

- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows.
- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior.
- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths.

### Response and remediation

- Isolate affected endpoints until scope is understood.
- Terminate suspicious child and descendant processes initiated from `notepad.exe`.
- Quarantine and preserve the triggering Markdown file for forensic analysis.
- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns).
- Patch Windows/Notepad to the latest security update level addressing the vulnerability.
- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems.
"""
references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841"]
risk_score = 73
rule_id = "7f3521dd-fb80-4548-a7eb-8db37b898dc2"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Microsoft Defender for Endpoint",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "notepad.exe" and process.parent.args : "*.md" and
  not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"

[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"

[[rule.threat.technique.subtechnique]]
id = "T1204.002"
name = "Malicious File"
reference = "https://attack.mitre.org/techniques/T1204/002/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"