Merge PR #5500 from @swachchhanda000 - Potential Notepad++ CVE-2025-49144 Exploitation

new: Potential Notepad++ CVE-2025-49144 Exploitation
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml

@@ -0,0 +1,34 @@
+title: Potential Notepad++ CVE-2025-49144 Exploitation
+id: 933f0bb5-0681-4fe7-8a17-4e6cccbaac44
+status: experimental
+description: |
+    Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
+    This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
+    The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
+references:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
+    - https://x.com/NullSecurityX/status/1937444064867029179
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-06-26
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.t1574.008
+    - cve.2025-49144
+    - detection.emerging-threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\regsvr32.exe'
+        CommandLine|startswith: 'regsvr32 /s'
+        CommandLine|contains: '\contextMenu\NppShell.dll'
+    filter_main_legit_regsvr32:
+        Image:
+            - 'C:\Windows\System32\regsvr32.exe'
+            - 'C:\Windows\SysWOW64\regsvr32.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high