Veritas
F010MEDIUMSuspiciousvalidator: passed

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

rundll32.exe

Analyst narrative

PowerShell child process (PID 5848) spawned 6 rundll32.exe instances with null/missing command lines between 2018-08-30 18:31:04 and 2018-09-06 17:26:35, indicative of process injection or DLL sideloading patterns.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psxview
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:5588:SeCreateTokenPrivilege
vol_privileges
Raw tool output · 4d3a4c22798918b0a82058733025a60961c4dcf7
{"Attributes": "", "Description": "Create a token object", "PID": 5588, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · 98358a8205cc843a92c3dab84f4d75d721b19024
{"Attributes": "", "Description": "Replace a process-level token", "PID": 5588, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeLockMemoryPrivilege
vol_privileges
Raw tool output · 21245ca37b4e683246051db2e8392afb6d20e11d
{"Attributes": "", "Description": "Lock pages in memory", "PID": 5588, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · 949c38495c543d0f7ff8634a2be4ae8365f7fdf2
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 5588, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeMachineAccountPrivilege
vol_privileges
Raw tool output · 63e214c380ad5685b48d94b798f07b568ab5d716
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 5588, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeTcbPrivilege
vol_privileges
Raw tool output · 18013573e5bfd0f32e9c94a932e1f25d32109548
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 5588, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeSecurityPrivilege
vol_privileges
Raw tool output · 270db5c891b5c082cb1fe3a29db27660d0e3d737
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 5588, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · 4134f3d56bb3fab38f15bed9b7fee68b97669329
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 5588, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeLoadDriverPrivilege
vol_privileges
Raw tool output · e6087592c155686f46e67ab865d5e3617d2798de
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 5588, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeSystemProfilePrivilege
vol_privileges
Raw tool output · 1e96add9a382387c30e0fbef9e80cc227515d044
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 5588, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeSystemtimePrivilege
vol_privileges
Raw tool output · 0213db918f7ec5d535b203cdab70ce281561de82
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 5588, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 5b7ce23c9c09a2317b7140358e9b8328bd035019
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 5588, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 8395b3cb6f41195645e69d602264ff05d5cf4496
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 5588, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · ce9c3546c27604f94405bb902b93acf71fa0c7a3
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 5588, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · be533a5a0a784dd11f16aed31ab46a932d559969
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 5588, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeBackupPrivilege
vol_privileges
Raw tool output · 41a0e212d9318fac463ff89cac636c1b6d7ce62c
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 5588, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeRestorePrivilege
vol_privileges
Raw tool output · b38217b768a02a5f0c2b3eff59a172a111a0b2e6
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 5588, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeShutdownPrivilege
vol_privileges
Raw tool output · ef4a0099e1e3c00a822f50092fe8a3a55a699ac1
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 5588, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeDebugPrivilege
vol_privileges
Raw tool output · 5b71be8b44ec9ce22c4e54658f620baaad7409e8
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 5588, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeAuditPrivilege
vol_privileges
Raw tool output · 60792dce3c19085677c7e91259202f89c4857d69
{"Attributes": "", "Description": "Generate security audits", "PID": 5588, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · 33e0fc2a732d1b50b5e5dd87744d376883d670fe
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 5588, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · d0025c9514964a2a0e8bf92ddcfb3ca4cb49973a
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 5588, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 4b7fef3dec127d913f185f6e154c6edc66f8603b
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 5588, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeUndockPrivilege
vol_privileges
Raw tool output · 25b2be0330f10d6a25fd555d82ec57a4599b0de4
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 5588, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 07feaf8a86a5a560b96db87634abf9bc26d9dd2d
{"Attributes": "", "Description": "Synch directory service data", "PID": 5588, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · 776a6dd8bcff591b64aff53e306fb2eec515d7d9
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 5588, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeManageVolumePrivilege
vol_privileges
Raw tool output · f44e28d3b7367e5504aa46217fccc08bde42b561
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 5588, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeImpersonatePrivilege
vol_privileges
Raw tool output · 09f84166d4fbf07fb328f1eae64d9380a8c122d4
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 5588, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · 8d76640c02bdc7b17c716633376b98e95113addd
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 5588, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · da877d7879bb624ed9af3b8a44f9570d479e7ce6
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 5588, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeRelabelPrivilege
vol_privileges
Raw tool output · bc8d8ed30bb5adeb17c151da0acc4730146e2d01
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 5588, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · fe3c0ec9028d8ec89c25d7125a99134680166b2f
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 5588, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeTimeZonePrivilege
vol_privileges
Raw tool output · 146394310a6db22613015ec7c0e5e97671b0fac2
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 5588, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · ac159af1dc08d48d0eef589450bf6ff87474558f
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 5588, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:5588:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 878f516b7eccd4eb583e175b1f18218311767f7b
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 5588, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:5588
vol_cmdline
Raw tool output · 689e97ea056747e6cbfa043bc575ecae55beb4b7
{"Args": null, "PID": 5588, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:5588
vol_psscanvol_pstree
Raw tool output · d1b818396bfed57d60d62c14e2605a2f49c4a244
{"CreateTime": "2018-08-30T21:40:42+00:00", "ExitTime": "2018-08-30T21:40:54+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742640000, "PID": 5588, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5588->pid:5848
vol_psscanvol_pstree
Raw tool output · b229918ad93feaae01651fbf25cf271583d73a24
{"CreateTime": "2018-08-30T21:40:42+00:00", "ExitTime": "2018-08-30T21:40:54+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518742640000, "PID": 5588, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 6ce412557013907711e4573e680919baca85b88f
{"Name": "spsql", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 27f86f7995472f76e75e2b9f0e31c7240e16109d
{"Name": "Domain Users", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:5588:S-1-1-0
vol_getsids
Raw tool output · 9c07cca8a00fe3cf4fdc88dd1cd514049ad2f0d0
{"Name": "Everyone", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-32-545
vol_getsids
Raw tool output · 659fcba43f9c1babf7217f734b67e5e5b1763c87
{"Name": "Users", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-32-544
vol_getsids
Raw tool output · 140b3dc22238fc81907a348b1971376f360abd64
{"Name": "Administrators", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-2
vol_getsids
Raw tool output · 7e4a006e95901966440d7fe27272ed732eb0d250
{"Name": "Network", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-11
vol_getsids
Raw tool output · 614b204cf2828ab974a64e2e63192a3bebbdb7bf
{"Name": "Authenticated Users", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-15
vol_getsids
Raw tool output · 39e7460322ad464a2c481dee4e2cac8c85090e10
{"Name": "This Organization", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · f92a301e0051f526488f07bd1a7de87e3667e623
{"Name": "Domain Admins", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:5588:S-1-18-1
vol_getsids
Raw tool output · 592e33858afafcb607bcae05b9d40cb01469fcfa
{"Name": "Authentication Authority Asserted Identity", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:5588:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 3821a13a51fb81f7995502ea875a3211cf9dde7e
{"Name": null, "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:5588:S-1-16-12288
vol_getsids
Raw tool output · 81dea44b3b55fb4213b8c85e4bff45acc01e8407
{"Name": "High Mandatory Level", "PID": 5588, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstreevol_psxview