This detection rule is designed to identify potential exploitation of a vulnerability in Notepad related to Markdown file parsing (CVE-2026-20841). Specifically, it looks for instances where a new child process is spawned by notepad.exe upon opening a Markdown file. Such behavior is indicative of an attack vector leveraging this vulnerability, which could result in arbitrary code execution. The rule captures events from various data sources, including Windows event logs and endpoint detection logs. Users are advised to investigate the parent-child process hierarchy, review command line arguments, and assess the context of the opened Markdown files to determine if the observed behavior is malicious. False positives can occur due to legitimate automation or editor extensions, and users are encouraged to tune the rule accordingly. In the case of detection, recommended remediation steps include isolating affected systems, terminating suspicious processes, and running malware scans to ensure system integrity.