Veritas
F006MEDIUMSuspiciousvalidator: passed

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

rundll32.exe

Analyst narrative

PowerShell child process (PID 5848) spawned 6 rundll32.exe instances with null/missing command lines between 2018-08-30 18:31:04 and 2018-09-06 17:26:35, indicative of process injection or DLL sideloading patterns.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psxview
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:2216:SeCreateTokenPrivilege
vol_privileges
Raw tool output · 8d23048388d9f00212eabbceb6dfb0a3d79b6036
{"Attributes": "", "Description": "Create a token object", "PID": 2216, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · e4e481d5b8d48d6db0275b482013c0dcccd119c2
{"Attributes": "", "Description": "Replace a process-level token", "PID": 2216, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeLockMemoryPrivilege
vol_privileges
Raw tool output · ac06d7e81b70ebf2b5018d62433e1ce2ce38f303
{"Attributes": "", "Description": "Lock pages in memory", "PID": 2216, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · c4c5fec36fa912d26c3a74b982c855ec1aa48794
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 2216, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeMachineAccountPrivilege
vol_privileges
Raw tool output · 78c84835273b9cae85c9e6d06d6817565342bf2b
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 2216, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeTcbPrivilege
vol_privileges
Raw tool output · 1588d37d41a10fdc332b4a06454a127d8727776f
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 2216, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeSecurityPrivilege
vol_privileges
Raw tool output · c54660606cf7b13273fc0eff150290342ec84c56
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 2216, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · 872cef89bd3fdfa7313369e2e592d771952465e1
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 2216, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeLoadDriverPrivilege
vol_privileges
Raw tool output · 1a013adedbb7cb6b6d61b6ad00886e0ea392d55c
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 2216, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeSystemProfilePrivilege
vol_privileges
Raw tool output · 5934156fcf5f8205c372c376cf9ecfa4528016d6
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 2216, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeSystemtimePrivilege
vol_privileges
Raw tool output · 62bcf76a83af9789b71f05200a63df246457532b
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 2216, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · a86ba0f7084e39ba82a9c70f314af17fa82a652b
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 2216, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 8d048aec0c648422f670b326b7abebc7c96eae65
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 2216, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · 8c716a0ab5e1a103981c5d514aa78c75aeef2a00
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 2216, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · c7255015acb7982929d1fc0b4cab959ab38f9be8
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 2216, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeBackupPrivilege
vol_privileges
Raw tool output · af2140f3de0a945af19f8d70165591165922534d
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 2216, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeRestorePrivilege
vol_privileges
Raw tool output · 38d792bc6b02e7e73d53888ecff32e1447720fcd
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 2216, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeShutdownPrivilege
vol_privileges
Raw tool output · 76ff4767861a41a43233a262948fcacf3bc831c5
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 2216, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeDebugPrivilege
vol_privileges
Raw tool output · b6c0439dcb4606e67ee120d5746873d5fa77ce26
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 2216, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeAuditPrivilege
vol_privileges
Raw tool output · 662eae462bff21545d02218a6dd7801f193bd4ed
{"Attributes": "", "Description": "Generate security audits", "PID": 2216, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · ae6fd49fb82c73abde8935dda86085e5fad4a8b0
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 2216, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · e50aa45a25ce1e04052e8bd975416636ca4ff62e
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 2216, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · bd35643223e5028e3013a3a024f13ddbef3ad370
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 2216, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeUndockPrivilege
vol_privileges
Raw tool output · faad6858fbfe810770d96603895000e3bdf1728a
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 2216, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 82e8e8df2f412e3ed2f434bceba3b03dc46298eb
{"Attributes": "", "Description": "Synch directory service data", "PID": 2216, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · ddcfff30823327488209775707f1797316693dc8
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 2216, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeManageVolumePrivilege
vol_privileges
Raw tool output · e7004e74e63a6e9b6108102a187421640b237acd
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 2216, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeImpersonatePrivilege
vol_privileges
Raw tool output · 952e1355add4bd51ebb526ff63bc5c496e3f4984
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 2216, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · f8a99bc9afe964b88f396e32938dfe3ba10f9576
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 2216, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · 276dded5a20fc99d0928d037d8a95422c3b5533f
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 2216, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeRelabelPrivilege
vol_privileges
Raw tool output · fa6782668f690c53f43ea39c10493b91d4a79db3
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 2216, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · be50486e2f8a8355dfcfbb02f8eb81c49722e152
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 2216, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeTimeZonePrivilege
vol_privileges
Raw tool output · d28a653ac3c505577e9880a6c650424a40603717
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 2216, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · 2e1e95d81b5f3e1fb1c0b5edadf5f36f3f156aee
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 2216, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:2216:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · e924b4b9053c58c538587fe8096a27b4118c3b82
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 2216, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:2216
vol_cmdline
Raw tool output · 65bc7c74a313df5e7f5a2afff892980c0689e9f3
{"Args": null, "PID": 2216, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:2216
vol_psscanvol_pstree
Raw tool output · f9613021ed1839d7825f0ab4f971d990014ac79c
{"CreateTime": "2018-08-30T22:31:57+00:00", "ExitTime": "2018-08-30T22:32:19+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744704384, "PID": 2216, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
process relationship factpid:2216->pid:5848
vol_psscanvol_pstree
Raw tool output · 335b2f5830e2d4f512666924a313d636409c06c5
{"CreateTime": "2018-08-30T22:31:57+00:00", "ExitTime": "2018-08-30T22:32:19+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744704384, "PID": 2216, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · cdb91ce446ed7f3813bf96574a0ff08d5c17e17f
{"Name": "spsql", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · cff1d893130a78afe63f05d43222cc1410776a4b
{"Name": "Domain Users", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:2216:S-1-1-0
vol_getsids
Raw tool output · a9efdfeb45e4ecb80528070b8f3255f960d84e48
{"Name": "Everyone", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-32-545
vol_getsids
Raw tool output · bdb050a09927b7421954ae9b021bec6a0f00e2cc
{"Name": "Users", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-32-544
vol_getsids
Raw tool output · cf7998252039fcb49f5a544dffbc8c264bbe1e64
{"Name": "Administrators", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-2
vol_getsids
Raw tool output · daff9993cf63faaf0eb613e6f5d9616f136a338f
{"Name": "Network", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-11
vol_getsids
Raw tool output · b63e6b316c4ba27ef72cf872baf05f28b027c9c4
{"Name": "Authenticated Users", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-15
vol_getsids
Raw tool output · 9f308ab36fe092364d5cbf1bfe821c924542900b
{"Name": "This Organization", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · a44b33c8e09fbb38504ee31087c043a3be4c4a84
{"Name": "Domain Admins", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:2216:S-1-18-1
vol_getsids
Raw tool output · 4c7deec681a59f9efb38671cff5621f632fb055d
{"Name": "Authentication Authority Asserted Identity", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:2216:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 350e119836c26e9f4119e96e7b89f2078be308be
{"Name": null, "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:2216:S-1-16-12288
vol_getsids
Raw tool output · 9d45501bac4c320287d8bbc8cdcaa6739f3baf57
{"Name": "High Mandatory Level", "PID": 2216, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstreevol_psxview