I have recently began noticing several computers in my corporate network exhibiting some unexpected behavior when opening .txt and .rtf documents from a UNC path hosted on my DC using notepad.exe.
In each case, upon opening the document, notepad.exe forms a TCP connection on tcp/389 (LDAP) to the DC and also spawns lsass.exe as a Child Process.
Is there a reason this would occur normally in a domain? I have used our EDR tools to verify that no malicious code injection or RPC has occurred, no malicious network IOCs are present, and that the process’ (notepad.exe) ‘lineage’ is normal (winlogon.exe -> userinit.exe -> explorer.exe -> notepad.exe).
Is there something plainly obvious that I am missing? Any and all insights appreciated.
