Veritas
F007MEDIUMSuspiciousvalidator: passed

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

rundll32.exe

Analyst narrative

PowerShell child process (PID 5848) spawned 6 rundll32.exe instances with null/missing command lines between 2018-08-30 18:31:04 and 2018-09-06 17:26:35, indicative of process injection or DLL sideloading patterns.

Claims asserted

user_accountspsql
pid-vol_pstreevol_cmdlinevol_psxview

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:5452:SeCreateTokenPrivilege
vol_privileges
Raw tool output · d7378554c6a11e3b592a37a7eba8976313981ba3
{"Attributes": "", "Description": "Create a token object", "PID": 5452, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · d04f2aad7ae908a9602bad9cbf84211b289cc97d
{"Attributes": "", "Description": "Replace a process-level token", "PID": 5452, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeLockMemoryPrivilege
vol_privileges
Raw tool output · 7369993a3ad14a7f16c8a75317ebcaf10fa498a6
{"Attributes": "", "Description": "Lock pages in memory", "PID": 5452, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · d868c5a62997b036d89a763de47b136d2dd34b67
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 5452, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeMachineAccountPrivilege
vol_privileges
Raw tool output · 59c9f713fd92ea0c823c377614989db4fa117a02
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 5452, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeTcbPrivilege
vol_privileges
Raw tool output · 9222b0fc0a4f222fb8afe37fdd1d3b53665c9939
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 5452, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeSecurityPrivilege
vol_privileges
Raw tool output · a4438b99285f809dfa802e06b1baa8c916d239cf
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 5452, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · dd5f43d57be4fb5063ef71a78b956679f062559f
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 5452, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeLoadDriverPrivilege
vol_privileges
Raw tool output · c22a74dd149edd0995f09df66cb736f94e3c0c9b
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 5452, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeSystemProfilePrivilege
vol_privileges
Raw tool output · d850075910ca150a885d46fdb65e7ae531ecde7c
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 5452, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeSystemtimePrivilege
vol_privileges
Raw tool output · 795919fc2715e80ac1a23a14c565dcd4039a9dd5
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 5452, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · d209ebfe017429a8e989d857419f2ad96360889c
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 5452, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · dfcf464a8020a16c9fc7cf32e695293da3ef023e
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 5452, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · c6f012f111d7640e0c4c80bf1a02c0616c9a3b03
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 5452, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · 487acca1b768e3c0c181b848b9fe94dff83ca1fa
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 5452, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeBackupPrivilege
vol_privileges
Raw tool output · 30f267c3de1ee5e3a8425104c68c7cac22bfede3
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 5452, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeRestorePrivilege
vol_privileges
Raw tool output · 5d5163326921556f14cca502d3cb172089ffa0fa
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 5452, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeShutdownPrivilege
vol_privileges
Raw tool output · 5eaf8faf9b1c36ff6bd410227cbc8862c68080e7
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 5452, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeDebugPrivilege
vol_privileges
Raw tool output · fcd139f46fe9cff2f1ae5dd79980341bff39f128
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 5452, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeAuditPrivilege
vol_privileges
Raw tool output · b80892888d60a67c378d2d0abcc4cb07b6c31e40
{"Attributes": "", "Description": "Generate security audits", "PID": 5452, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · 5d3f4819ebd3fb5bb1a78f861f7a05cabfaf4a04
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 5452, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · e673ecffa3ce9aaaa8238df07c667b525c55253a
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 5452, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 5b0dfd53534c4e3cb2a8ce821055187e323f3903
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 5452, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeUndockPrivilege
vol_privileges
Raw tool output · acaf31031123f407c74a5f7a248b4886323e3e1c
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 5452, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 23d0c12a886403fe5f2c5caaba51bb04124d66d4
{"Attributes": "", "Description": "Synch directory service data", "PID": 5452, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · fe61c9fcab279d86cfeb7bcc468d06e04a50fe91
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 5452, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeManageVolumePrivilege
vol_privileges
Raw tool output · 4d27979b7d3ef8ccfb2b3d60731b4d1449e94f18
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 5452, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeImpersonatePrivilege
vol_privileges
Raw tool output · cd944d9e55dbd29de9cde87a4dab3ce05731f700
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 5452, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · 88b81c0381360274c249d416d15c5c3b1ee7bed4
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 5452, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · 4dbc1f92e95fac35f91682c941ce37c0dd852cee
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 5452, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeRelabelPrivilege
vol_privileges
Raw tool output · 2efe6ff14168b32c2bab0ccbb4ac5a35ee9a91e4
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 5452, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · 8d50cc4e58bfa55553d7233be1ccf5d75ff1afed
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 5452, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeTimeZonePrivilege
vol_privileges
Raw tool output · b7625002f376a04718b9995a6e92505d6c26e710
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 5452, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · ba88196c648f0c78aa4f1f4c6099eb60a9a7e709
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 5452, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:5452:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 75d935e8bd6161bd1ee3cf8cd51207ed5540db01
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 5452, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:5452
vol_cmdline
Raw tool output · f9264a986525c63429991380536a35cac8c85561
{"Args": null, "PID": 5452, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:5452
vol_psscanvol_pstree
Raw tool output · 5c5b739f64c247170350bd1da2a696a8d7b01862
{"CreateTime": "2018-08-30T21:40:18+00:00", "ExitTime": "2018-08-30T21:40:23+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744397184, "PID": 5452, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5452->pid:5848
vol_psscanvol_pstree
Raw tool output · 6ba9b94599f78cf3d8f66fdebfc83c1b5e01905b
{"CreateTime": "2018-08-30T21:40:18+00:00", "ExitTime": "2018-08-30T21:40:23+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518744397184, "PID": 5452, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 71845210198601cdb4d177dc4454ac2e1c7ef3b1
{"Name": "spsql", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 477e9baab81936ddc6e5bbe489fe8de660d6882e
{"Name": "Domain Users", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:5452:S-1-1-0
vol_getsids
Raw tool output · 936e85847f60b47a635aa3f7758e868f9196c2c0
{"Name": "Everyone", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-32-545
vol_getsids
Raw tool output · ee55afe54ce7f473d8b1a3a027563e8a5926ad87
{"Name": "Users", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-32-544
vol_getsids
Raw tool output · 95d1bac52b9c56583b818e3475b2693d8fad3631
{"Name": "Administrators", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-2
vol_getsids
Raw tool output · 4276d1f2e767b0b19ca12097defef67a99aa290e
{"Name": "Network", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-11
vol_getsids
Raw tool output · b50e1c22fba21ee7958bea61092d26a1d86fbe3d
{"Name": "Authenticated Users", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-15
vol_getsids
Raw tool output · 0158a6940cfab88bf5969c8ba4bf1a5825d86c91
{"Name": "This Organization", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · 57951a1d89c91d43734b82a0ad4346d2992209a6
{"Name": "Domain Admins", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:5452:S-1-18-1
vol_getsids
Raw tool output · 4603f44dd054131562fecba03579a82f73981de0
{"Name": "Authentication Authority Asserted Identity", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:5452:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 2325f2d09cf5b97bc68dc7a2f0d906873346edf1
{"Name": null, "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:5452:S-1-16-12288
vol_getsids
Raw tool output · ae8304a9d6de7d327d930267ed0a9f806f1e38d0
{"Name": "High Mandatory Level", "PID": 5452, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstreevol_psxview