5

Is there any known legitimate reason that notepad.exe would make network connections to a domain controller? I observed this behavior. The first connection was to port 135 and the second was to one of the Microsoft RPC dynamic ports. In addition I also observed an SNMP request (port 161 udp) to some random device where sysmon reported the source process as C:\windows\system32\notepad.exe

I dont think there is any legitimate reason for notepad to be making SNMP requests, but what about to a DC on those ports listed above?

dcom-launch
  • 265
  • 1
  • 10
  • I assume you observed such a behavior? –  Sep 07 '21 at 15:33
  • Yes and after some research I found that metasploit and cobalt strike use notepad as their default process to spawn and inject into – dcom-launch Sep 07 '21 at 15:42
  • Microsoft meta-data reporting monitors all kinds of application start/stops. It even monitors non-Microsoft products, I've watched it report opening and closing Firefox for example. I don't recall whether I saw Notepad specifically but I did this analysis over 4 years ago. – user10216038 Sep 07 '21 at 16:44
  • If you are opening files over network share, Notepad may want to contact the DC to authenticate. See the answer why shell-generated traffic is attributed to process invoking the shell – usr-local-ΕΨΗΕΛΩΝ Sep 08 '21 at 14:23

1 Answers1

7

When a shell dialog (file open/save, print, etc.) is opened, network traffic generated by accesses to SMB file shares or other network resources will be attributed to the process that is accessing those resources. That means both direct connections to the system that is hosting the resource, and connections to the domain if services need to be discovered, policies need to be looked up, or authentication tokens need to be requested. As such, seeing traffic to port 135 from Notepad in a domain is not that unusual. It'd be even more likely if you're replicating user profiles to a central location so that a user can roam to other workstations.

Seeing SNMP from that process is rather unusual. One explanation might be if a security or monitoring product you have installed sends back telemetry from modules that are injected into running processes. I know that SolarWinds uses SNMP for some of its telemetry collection, but I'm not sure on the exact implementation.

If you don't have more information to go on, such as packet captures of the traffic in question, I would recommend being cautious and following your incident response plan. At minimum I would get someone qualified to do some forensic capture and investigation of the affected host.

Polynomial
  • 132,208
  • 43
  • 298
  • 379