Veritas
F008MEDIUMSuspiciousvalidator: passed

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

rundll32.exe

Analyst narrative

PowerShell child process (PID 5848) spawned 6 rundll32.exe instances with null/missing command lines between 2018-08-30 18:31:04 and 2018-09-06 17:26:35, indicative of process injection or DLL sideloading patterns.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psxview
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:4108:SeCreateTokenPrivilege
vol_privileges
Raw tool output · d86c2c96cb50373509e1743b88c2f5579ff6f5b3
{"Attributes": "", "Description": "Create a token object", "PID": 4108, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · 1f17bcc8c77ca001540576672ba6a382e051b6f6
{"Attributes": "", "Description": "Replace a process-level token", "PID": 4108, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeLockMemoryPrivilege
vol_privileges
Raw tool output · a3cb14ff8cff68652c29a898684713e66ad97cfc
{"Attributes": "", "Description": "Lock pages in memory", "PID": 4108, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · 455f42423a79bbed702a057f81085c4a0f0d73b8
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 4108, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeMachineAccountPrivilege
vol_privileges
Raw tool output · 5f1dcb9bb32950a0b7e12c46e8bdd27fb4b26cf5
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 4108, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeTcbPrivilege
vol_privileges
Raw tool output · 4d9273d42e4630224c9ce77a9e5812fb5b0ffd30
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 4108, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeSecurityPrivilege
vol_privileges
Raw tool output · d7493c317dbc044f91c1874d6c5780391ab1ca28
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 4108, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · 4f873f4ededa4b94f75a82fc7ca06c49d6085d26
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 4108, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeLoadDriverPrivilege
vol_privileges
Raw tool output · 6c6344cc5e5bfd935c1a69056e5ec32ab7b0b792
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 4108, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeSystemProfilePrivilege
vol_privileges
Raw tool output · 4ac2b633ac7f09dc80635a6f6e205a939746a266
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 4108, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeSystemtimePrivilege
vol_privileges
Raw tool output · 687572df1786b25772c886e40ca28d7e52585655
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 4108, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 87afc5a92aa5d0c3e6717361e61a451da124b8fb
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 4108, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · d791cadb1640cc5e1c596646cdba719b198cc46b
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 4108, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · 6303caf145409c877bd3ba21419c172717319467
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 4108, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · 323c883bf4a8fc4ad97ab312a58cf9da5a610e0b
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 4108, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeBackupPrivilege
vol_privileges
Raw tool output · 5edd07e32f5b5aed8b7dfe78ed081c286be24a37
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 4108, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeRestorePrivilege
vol_privileges
Raw tool output · 2579566adebabf5183abf4e2dbb59a312735cf3f
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 4108, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeShutdownPrivilege
vol_privileges
Raw tool output · 778baa5a85ca0083423d003ea581e8573147f948
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 4108, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeDebugPrivilege
vol_privileges
Raw tool output · 3450b890a1da9a854a3c991af7444526686a6c5c
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 4108, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeAuditPrivilege
vol_privileges
Raw tool output · 71134b9f4bb8a8f6631da2164c3bfc158179888a
{"Attributes": "", "Description": "Generate security audits", "PID": 4108, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · d0f86dda017393d868e2e978e68ba508a29cfe5d
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 4108, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · cf2ef6de32e184481bcbaad0b4e13a6c75415a9c
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 4108, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 45d86ea409680a1708ec833dfbbea3fa72ecd122
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 4108, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeUndockPrivilege
vol_privileges
Raw tool output · cb0330488e15dba985cf4b0996fc40be2be74a9c
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 4108, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 99c66f09507494512fc6f16762f954dc52aadb20
{"Attributes": "", "Description": "Synch directory service data", "PID": 4108, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · dba45a949a8075a0c6ea47612ce1a90d57ae19d5
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 4108, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeManageVolumePrivilege
vol_privileges
Raw tool output · cb6da427ac476eb818d6bca0eb930d9036bc243d
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 4108, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeImpersonatePrivilege
vol_privileges
Raw tool output · b94139842ebd4fc2e00b7a7c6f48be3b5fd36f4a
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 4108, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · ff994cee8b162e7d610a6f5d1903bfcdfe32861a
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 4108, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · 2069be2957bfe0eadce73868dd9511573a74d294
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 4108, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeRelabelPrivilege
vol_privileges
Raw tool output · 7994f3c80c1fc1929b85f634820e14fd666b61bd
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 4108, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · 9d8b46cabcc2777ffb99722a2f9944eca6e334be
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 4108, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeTimeZonePrivilege
vol_privileges
Raw tool output · afc27e2e12939f473efcfc218eae5883bd9db0a5
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 4108, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · 46ff6adbbe956d29e079ff98898fc9a112779a9d
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 4108, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:4108:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 235a5fd14e54b630a4f1ed93fec957c60c86d7be
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 4108, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:4108
vol_cmdline
Raw tool output · 8b2a8872a41defa5d99249ad8ca51d1a093846f6
{"Args": null, "PID": 4108, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:4108
vol_psscanvol_pstree
Raw tool output · 9ea3cea1cc4b0b4852b237092e495dae20a7b69e
{"CreateTime": "2018-08-30T22:45:25+00:00", "ExitTime": "2018-08-30T22:45:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742470784, "PID": 4108, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:4108->pid:5848
vol_psscanvol_pstree
Raw tool output · 7c8fcd5aa2020cf80db134a6afa10fe76c521087
{"CreateTime": "2018-08-30T22:45:25+00:00", "ExitTime": "2018-08-30T22:45:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742470784, "PID": 4108, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · b3ef66dadd895faf51d14b4dc5a7dfbbd8c7ef99
{"Name": "spsql", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 4aacc9771186b0bacf52ef604f601831eadb8285
{"Name": "Domain Users", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:4108:S-1-1-0
vol_getsids
Raw tool output · 01db95365f23a4caab032a92822b31d97b6c6d0d
{"Name": "Everyone", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-32-545
vol_getsids
Raw tool output · 7f43e2a71e3fc1b1df72ddcf55ad12455e8cf0cb
{"Name": "Users", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-32-544
vol_getsids
Raw tool output · 943a240933acadcaccb3f8b3689e802a96975bd2
{"Name": "Administrators", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-2
vol_getsids
Raw tool output · fa435225f9a4f051a3ed3f5d212ae5285eb5f0db
{"Name": "Network", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-11
vol_getsids
Raw tool output · 4edec7f9f975070b2084b1f2b21e920218a2ac08
{"Name": "Authenticated Users", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-15
vol_getsids
Raw tool output · 2a34975799469108b57c363843ec36a1131a3905
{"Name": "This Organization", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · ff9b0d991371567f0d4a28b97e9850697ff58f52
{"Name": "Domain Admins", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:4108:S-1-18-1
vol_getsids
Raw tool output · f5fd58526df046355033179c4b98f149caa99e64
{"Name": "Authentication Authority Asserted Identity", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:4108:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 2fded09b16b69af3f2430d75db4e8a1603ba1b00
{"Name": null, "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:4108:S-1-16-12288
vol_getsids
Raw tool output · 1f44864e3184a49bdfadd3893e427df9df4f8f8b
{"Name": "High Mandatory Level", "PID": 4108, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstreevol_psxview