KQL Search

Query Details

HomeAI ToolsDevice Query

Notepad CVE 2026 48778 CVE 2026 48800 Detection

Query

# *Notepad++ CVE-2026-48778 & CVE-2026-48800 Detection*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059 |
| T1574.001 | DLL | https://attack.mitre.org/techniques/T1574/001/ |


#### Description

This rule detects attempts to exploit CVE-2026-48778 (commandLineInterpreter hijack via config.xml) and CVE-2026-48800 (UserDefinedCommands hijack via shortcuts.xml) in Notepad++. It identifies suspicious modifications to Notepad++ configuration files (config.xml or shortcuts.xml) by processes other than Notepad++ itself, explorer.exe, or antivirus software. Additionally, it detects suspicious process execution originating from Notepad++ that is not part of its normal operation, such as spawning shell processes from non-standard paths. The rule also correlates these events, looking for suspicious process spawns within 24 hours after a configuration file modification.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 


## Defender XDR
```KQL
// Notepad++ CVE-2026-48778 & CVE-2026-48800 Detection
// CVE-2026-48778: commandLineInterpreter hijack via config.xml
// CVE-2026-48800: UserDefinedCommands hijack via shortcuts.xml
let ExcludedCLI = dynamic([@"C:\myscript.ps1"]);
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where OSPlatform startswith "Windows"
| where SoftwareName =~ "notepad++"
| where parse_version(SoftwareVersion) < parse_version("8.9.6.1")
| distinct DeviceName;
let XmlConfigWrite = DeviceFileEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName in~ ("config.xml", "shortcuts.xml")
| where FolderPath has @"\AppData\Roaming\Notepad++"
| where InitiatingProcessFileName !in~ (
	"notepad++.exe",
	"explorer.exe",
	"MsMpEng.exe",
	"svchost.exe"
)
// Exclude FHNW config management
| where not(
	InitiatingProcessFileName =~ "powershell.exe"
	and InitiatingProcessCommandLine has_any (ExcludedCLI) 
)
| extend
	DetectionType = "XML_Config_Write",
	CVE = iff(FileName =~ "config.xml", "CVE-2026-48778", "CVE-2026-48800");
// Trigger: user clicks "Open Containing Folder -> cmd"
let SuspiciousShellExecute = DeviceProcessEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "notepad++.exe"
// General process whitelist excluding shells (handled below)
| where FileName !in~ (
	"notepad++.exe",		// multi-instance & UAC-save
	"explorer.exe",			// open containing folder
	"GUP.exe",				// built-in updater
	"chrome.exe",			// URL handler
	"msedge.exe",			// URL handler
	"firefox.exe",			// URL handler
	"msedgewebview2.exe"	// MarkdownPanel plugin
)
// Allow cmd/powershell/bash only from System32 or SysWOW64
| where not(
	FileName in~ ("cmd.exe", "powershell.exe", "bash.exe")
	and FolderPath has_any (
		@"C:\Windows\System32",
		@"C:\Windows\SysWOW64"
	)
)
// Allow GUP.exe from official updater path (fallback)
| where not(
	FileName =~ "GUP.exe"
	and FolderPath has_any (
		@"C:\Program Files\Notepad++\updater",
		@"C:\Program Files (x86)\Notepad++\updater"
	)
)
| extend
	DetectionType = "ShellExecute_Hijack",
	CVE = "CVE-2026-48778";
// Correlation: XML write followed by suspicious spawn within 24h
let RecentXmlWrites = DeviceFileEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FileName in~ ("config.xml", "shortcuts.xml")
| where FolderPath has @"\AppData\Roaming\Notepad++"
| where InitiatingProcessFileName !in~ (
	"notepad++.exe",
	"explorer.exe",
	"MsMpEng.exe"
)
| project
	DeviceName,
	AccountName = InitiatingProcessAccountUpn, 
	XmlWriteTime = Timestamp,
	XmlFile = FileName,
	WritingProcess = InitiatingProcessFileName,
	WritingProcessCmdLine = InitiatingProcessCommandLine;
let PostWriteExecution = DeviceProcessEvents
| where DeviceName in (VulnDevices)
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "notepad++.exe"
| where FileName !in~ (
	"notepad++.exe",
	"GUP.exe",
	"explorer.exe",
	"msedgewebview2.exe",
	"chrome.exe",
	"msedge.exe",
	"firefox.exe"
)
| project
	DeviceName,
	AccountName = InitiatingProcessAccountUpn, 
	SpawnTime = Timestamp,
	FileName = FileName,
	FolderPath = FolderPath,
	ProcessCommandLine = ProcessCommandLine;
let XmlWriteCorrelation = PostWriteExecution
| join kind=inner RecentXmlWrites on DeviceName, AccountName
| where SpawnTime > XmlWriteTime
| where SpawnTime < XmlWriteTime + 24h
| project
	Timestamp = SpawnTime,
	DeviceName,
	AccountName,
	FileName,
	FolderPath,
	ProcessCommandLine,
	InitiatingProcessFileName = "notepad++.exe",
	InitiatingProcessCommandLine = strcat("Triggered after XML modification in: ", XmlFile),
	DetectionType = "XML_Write_Then_Spawn_Correlation",
	CVE = iff(XmlFile =~ "config.xml", "CVE-2026-48778", "CVE-2026-48800");
union
	XmlConfigWrite,
	SuspiciousShellExecute,
	XmlWriteCorrelation
'''

```

Explanation

This KQL query is designed to detect potential security threats related to two specific vulnerabilities (CVE-2026-48778 and CVE-2026-48800) in Notepad++. Here's a simplified breakdown of what the query does:

  1. Identify Vulnerable Devices: It first identifies Windows devices that have an outdated version of Notepad++ (older than version 8.9.6.1), which are potentially vulnerable to these exploits.

  2. Monitor Configuration File Changes: The query looks for any changes (creation or modification) to Notepad++ configuration files (config.xml and shortcuts.xml) within the last 7 days. It flags these changes as suspicious if they are made by processes other than Notepad++, Windows Explorer, or antivirus software.

  3. Detect Suspicious Process Executions: It checks for unusual processes being started by Notepad++. Specifically, it flags shell processes (like cmd.exe or powershell.exe) that are not running from standard system directories, as well as any other unexpected processes.

  4. Correlate Events: The query correlates the above events by checking if a suspicious process execution occurs within 24 hours after a configuration file change. This helps identify if a configuration change is followed by potentially malicious activity.

  5. Output: The results are combined to provide a comprehensive view of potential exploitation attempts, categorized by the type of detection (configuration file change, suspicious process execution, or correlated events).

Overall, this query helps security teams detect and respond to potential exploitation attempts of specific vulnerabilities in Notepad++ by monitoring configuration changes and process activities.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: May 28, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceProcessEvents

Keywords

Devices

Operators

letdynamicstartswith=~parse_versiondistinctin>agoin~has!in~andhas_anyiffprojectjoinkind=inner<strcatunion

Actions