From 2610f580d8a91f4abf356f2e4891d2604c0d7c2b Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 1 Jul 2025 14:07:35 +0545
Subject: [PATCH] Merge PR #5500 from @swachchhanda000 - Potential Notepad++
 CVE-2025-49144 Exploitation

new: Potential Notepad++ CVE-2025-49144 Exploitation
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...oc_creation_win_exploit_cve_2025_49144.yml | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml

diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml
new file mode 100644
index 000000000..0290f3985
--- /dev/null
+++ b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml
@@ -0,0 +1,34 @@
+title: Potential Notepad++ CVE-2025-49144 Exploitation
+id: 933f0bb5-0681-4fe7-8a17-4e6cccbaac44
+status: experimental
+description: |
+    Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
+    This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
+    The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
+references:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144
+    - https://x.com/NullSecurityX/status/1937444064867029179
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-06-26
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.t1574.008
+    - cve.2025-49144
+    - detection.emerging-threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\regsvr32.exe'
+        CommandLine|startswith: 'regsvr32 /s'
+        CommandLine|contains: '\contextMenu\NppShell.dll'
+    filter_main_legit_regsvr32:
+        Image:
+            - 'C:\Windows\System32\regsvr32.exe'
+            - 'C:\Windows\SysWOW64\regsvr32.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high