[OOTB] Notepad++ supply chain attack package - ENG
<html lang="en">
<body>
  
  <p>
	On February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ had been compromised. According to the statement, this was due to a hosting provider-level incident, which occurred from June to September 2025. However, attackers had been able to retain access to internal services until December 2025.<br>
	Within the attacks there was many different pattern of the adversary bahavior. In response to this attack, we have developed a set of detection rules to help identify potential exploitation attempts and take proactive measures to protect systems.<br>
	This package contains rules that can be categorized into three groups:
		<ul>
			<li>IOC monitoring:</li>
				<ul>
					<li>URLs</li>
					<li>File hashes</li>
					<li>File names</li>
				</ul>
			<li>Suspicious activity on host:<li>		
				<ul>
					<li>Abnormal file names</li>
					<li>Uncommon command executions and child processes</li>
					<li>Suspicious network activity</li>
				</ul>
		</ul>
	More details are described in article: https://securelist.com/notepad-supply-chain-attack/118708/ <br>
	<b>Important Notes:</b><br>
	To ensure the correct functioning of detection rules, it is essential to verify that all necessary Windows events such as 4688 (process creation), 5136 (packet filter), 4663 (object access) are presented in SIEM system.
  </p>

</body>
</html>