Veritas
F011MEDIUMSuspiciousvalidator: passed

Multiple rundll32.exe instances with null command lines spawned from PowerShell child

rundll32.exe

Analyst narrative

PowerShell child process (PID 5848) spawned 6 rundll32.exe instances with null/missing command lines between 2018-08-30 18:31:04 and 2018-09-06 17:26:35, indicative of process injection or DLL sideloading patterns.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psxview
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:8148:SeCreateTokenPrivilege
vol_privileges
Raw tool output · 3ae01df570af24ace8af91c08e210955045d96af
{"Attributes": "", "Description": "Create a token object", "PID": 8148, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · 5def5ae786d5e50db74cc10d37da8500ddae54d5
{"Attributes": "", "Description": "Replace a process-level token", "PID": 8148, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeLockMemoryPrivilege
vol_privileges
Raw tool output · 0e492beffda0b984b95f53ebf7b93ae93c3ead39
{"Attributes": "", "Description": "Lock pages in memory", "PID": 8148, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · 70b6ae953be42f8ab1771b9dbe73f21f19c00643
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 8148, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeMachineAccountPrivilege
vol_privileges
Raw tool output · b0992ffb1dc130a9475e29dd2cd255666cad8ad9
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 8148, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeTcbPrivilege
vol_privileges
Raw tool output · 32b22d71ae519fe8f34ae6c2c23eff684a40ec34
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 8148, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeSecurityPrivilege
vol_privileges
Raw tool output · 0ce4ab686f4e3a09187012f44239381d0c4d5cf6
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 8148, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · 2a0639192d8a35c1a7f858cde8d0a3b3522780bf
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 8148, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeLoadDriverPrivilege
vol_privileges
Raw tool output · 3ecbb138ab0395b5607ff57514a4ec0bb5247e9a
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 8148, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeSystemProfilePrivilege
vol_privileges
Raw tool output · ee576593d7e57df3abc640dcbe8583db14b0378d
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 8148, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeSystemtimePrivilege
vol_privileges
Raw tool output · 6348e337982cef8f27f1033f8a256bf68952d577
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 8148, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 72aa6befae09546f6fca3aa40c770b7510cec388
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 8148, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 0beab426db2f8b16ff59a7e4376ae7aace87502c
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 8148, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · dabd1c38df044df8148774dd27f4ea25a0b332e8
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 8148, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · cc1229b7f9f69f68265394d7a10bcd40d8fc1fa3
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 8148, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeBackupPrivilege
vol_privileges
Raw tool output · 2613623a00e18a122ee95399c2578957a83f4e2a
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 8148, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeRestorePrivilege
vol_privileges
Raw tool output · c11a9c48e27f5d3b879864271da584cae0fc5062
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 8148, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeShutdownPrivilege
vol_privileges
Raw tool output · 1c4397bf9865bf25644c9f7d57350b2e1ee9b6b8
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 8148, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeDebugPrivilege
vol_privileges
Raw tool output · 10231bc1fce6469e5665681b8617a1805f3538f4
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 8148, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeAuditPrivilege
vol_privileges
Raw tool output · 25890011580ed56a6e8c34fd773c231407055c6f
{"Attributes": "", "Description": "Generate security audits", "PID": 8148, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · bdbf36a4b7e63ca3008d3b14853f0e1419d172f1
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 8148, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · 938a3a5ed6d6bf8c64939f3dbba9be710631657b
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 8148, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 3968db6f4225e055357e0007e2d9c3dc97a1d8d7
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 8148, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeUndockPrivilege
vol_privileges
Raw tool output · 1e4e2b89702d5725735835db97068a8e72e25348
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 8148, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeSyncAgentPrivilege
vol_privileges
Raw tool output · ffb3d921ff1d25ccc3b735045fd0362c5bbc2b71
{"Attributes": "", "Description": "Synch directory service data", "PID": 8148, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · 736218eac43db91e5a05a5ca10136f78d18b3c4f
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 8148, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeManageVolumePrivilege
vol_privileges
Raw tool output · 67e38ecada087f92dc9afd8b331f258f87f3307b
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 8148, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeImpersonatePrivilege
vol_privileges
Raw tool output · be08394bd8fe283bd3d0527ab70b809b63e28342
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 8148, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · 9a9eadd28ebc913a272493b967b616f0aa610e95
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 8148, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · 1354b8c6b8963d76719b084f8a6757c697ab43c4
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 8148, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeRelabelPrivilege
vol_privileges
Raw tool output · dc3d55016793d52559e4584b725a07a11a20a37a
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 8148, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · d278de3bba806fdb49af8faaa73e8d128dc6c380
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 8148, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeTimeZonePrivilege
vol_privileges
Raw tool output · 5e2304d8d40da52f248dba0f5eeceb72a78ecbd5
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 8148, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · fecc5b54e7d58ea59e84a0e494cbdd7a149fb293
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 8148, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:8148:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 8dc5833f7a782a1dac200d9cce089abd2ab34ed9
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 8148, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:8148
vol_cmdline
Raw tool output · abe58affa1b88ebe0c8ab5c969fe6e72c4d2d85a
{"Args": null, "PID": 8148, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:8148
vol_psscanvol_pstree
Raw tool output · 71643913a0a0f0d584e7c313f16c579b09552163
{"CreateTime": "2018-08-31T00:56:14+00:00", "ExitTime": "2018-08-31T00:56:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518723040640, "PID": 8148, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
process relationship factpid:8148->pid:5848
vol_psscanvol_pstree
Raw tool output · b75b35017a67938ecd333973a8fb8a7746a24ee9
{"CreateTime": "2018-08-31T00:56:14+00:00", "ExitTime": "2018-08-31T00:56:30+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518723040640, "PID": 8148, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 02a6f64678e60996ab2e172facdab075fb9a1263
{"Name": "spsql", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 2abc90f3edf1fba6b819021864aface1eb114002
{"Name": "Domain Users", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:8148:S-1-1-0
vol_getsids
Raw tool output · fca6abcf645a5491872a4fd38d3bec0826f93d24
{"Name": "Everyone", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-32-545
vol_getsids
Raw tool output · ef3bdd3c1dd3b02c82ae87ef25da79a82aa14092
{"Name": "Users", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-32-544
vol_getsids
Raw tool output · abaf3270eb6ea06fd1f216d41c64e2393e5b76f2
{"Name": "Administrators", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-2
vol_getsids
Raw tool output · 6a73df34c168a8df591b0aaf0f57d14832a0c4af
{"Name": "Network", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-11
vol_getsids
Raw tool output · 42743ebdc3a17e9a1102e730e5cfa19360f2b6e1
{"Name": "Authenticated Users", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-15
vol_getsids
Raw tool output · 17a4af139e78f84837ce6a54c34b61466ae743af
{"Name": "This Organization", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · ce15ade7a0731a1400a5063af2c7bc91b1f53d55
{"Name": "Domain Admins", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:8148:S-1-18-1
vol_getsids
Raw tool output · 3b466c83bf72c1edb87d917730f1f387ae225385
{"Name": "Authentication Authority Asserted Identity", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:8148:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 67f222ad25a7f7811ae5c20a326fabf4bd410dfd
{"Name": null, "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:8148:S-1-16-12288
vol_getsids
Raw tool output · 216191b2919679f63836e731d1ad0e15b8deef86
{"Name": "High Mandatory Level", "PID": 8148, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_pstreevol_psxview