---
title: Potential Notepad Markdown RCE Exploitation
description: Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability...
url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/security/prebuilt-rules/rules/windows/execution_notepad_markdown_child_process
products:
  - Elastic Security
---

# Potential Notepad Markdown RCE Exploitation
Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a
Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.
**Rule type**: eql
**Rule indices**:
- endgame-*
- logs-endpoint.events.process-*
- logs-m365_defender.event-*
- logs-sentinel_one_cloud_funnel.*
- logs-windows.sysmon_operational-*

**Rule Severity**: high
**Risk Score**: 73
**Runs every**: 
**Searches indices from**: `now-9m`
**Maximum alerts per execution**: 100
**References**:
- [[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841)](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841)

**Tags**:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Execution
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
- Data Source: Microsoft Defender for Endpoint
- Data Source: Sysmon
- Data Source: SentinelOne
- Resources: Investigation Guide

**Version**: 2
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Investigation guide


## Triage and analysis


### Investigating Potential Notepad Markdown RCE Exploitation

This rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file.
This behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content
triggers unintended process execution.

### Possible investigation steps

- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process.
- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`.
- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share).
- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity.
- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior.
- Determine whether the child process and its execution path are expected in your environment.


### False positive analysis

- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows.
- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior.
- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths.


### Response and remediation

- Isolate affected endpoints until scope is understood.
- Terminate suspicious child and descendant processes initiated from `notepad.exe`.
- Quarantine and preserve the triggering Markdown file for forensic analysis.
- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns).
- Patch Windows/Notepad to the latest security update level addressing the vulnerability.
- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems.


## Rule Query

```eql
process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "notepad.exe" and process.parent.args : "*.md" and
  not process.executable : "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_*\\Notepad\\Notepad.exe"
```

**Framework:** MITRE ATT&CK
- Tactic:
  - Name: Execution
- Id: TA0002
- Reference URL: [[https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)](https://attack.mitre.org/tactics/TA0002/)
- Technique:
  - Name: Exploitation for Client Execution
- Id: T1203
- Reference URL: [[https://attack.mitre.org/techniques/T1203/](https://attack.mitre.org/techniques/T1203/)](https://attack.mitre.org/techniques/T1203/)
- Technique:
  - Name: User Execution
- Id: T1204
- Reference URL: [[https://attack.mitre.org/techniques/T1204/](https://attack.mitre.org/techniques/T1204/)](https://attack.mitre.org/techniques/T1204/)
- Sub Technique:
  - Name: Malicious File
- Id: T1204.002
- Reference URL: [[https://attack.mitre.org/techniques/T1204/002/](https://attack.mitre.org/techniques/T1204/002/)](https://attack.mitre.org/techniques/T1204/002/)