1

I have recently began noticing several computers in my corporate network exhibiting some unexpected behavior when opening .txt and .rtf documents from a UNC path hosted on my DC using notepad.exe.

In each case, upon opening the document, notepad.exe forms a TCP connection on tcp/389 (LDAP) to the DC and also spawns lsass.exe as a Child Process.

Is there a reason this would occur normally in a domain? I have used our EDR tools to verify that no malicious code injection or RPC has occurred, no malicious network IOCs are present, and that the process’ (notepad.exe) ‘lineage’ is normal (winlogon.exe -> userinit.exe -> explorer.exe -> notepad.exe).

Is there something plainly obvious that I am missing? Any and all insights appreciated.

D3r513g
  • 11
  • 2
  • How about malicious code in lsass.exe? Actually, what tools told you that the whole process _is_ a child of Notepad? Having more than one instance of LSASS is highly unusual, and having it running as a child of some random user process is even more so. (Now the _real_ LSASS making LDAP connections to the DC would be completely normal...) – u1686_grawity Nov 03 '20 at 05:34
  • The PPID/PID relationship between notepad.exe, with lsass.exe's PPID matching notepad.exe's PID, alerted me to the fact that notepad.exe spawned LSASS. This same methodology was followed to establish the process ancestry of notepad.exe as well. Further investigation using ProcMon confirmed this and also allowed me to reasonably conclude that notepad.exe and it's progenitors had not been injected into maliciously; this conclusion was based on following the TIDs noting the absence of API calls commonly associated with code migration like CreateRemoteThread, VirtualProtect, etc. – D3r513g Nov 03 '20 at 07:34
  • 1
    All Windows binaries (notepad.exe, explorer.exe, lsass.exe) were all digitally signed by Microsoft as expected. No processes involved had network connections to outside IPs. It seems malicious simply because I can't adequately explain the behavior but it is also only and consistently observed when someone is accessing a file from a mapped drive living on the DC. So strange.. Anything else I should check to confirm malicious activity? I appreciate the response. – D3r513g Nov 03 '20 at 07:38
  • Have you seen the CreateProcess call from Notepad that spawns lsass, then? Is this the only lsass.exe instance on the system? What user ID is it running as? – u1686_grawity Nov 03 '20 at 07:41

0 Answers0