Veritas
F012MEDIUMSuspiciousvalidator: passed

rundll32.exe defense-evasion chain (null cmdline)

rundll32 chain with null command lines spawned by staged p.exe

Analyst narrative

Multiple rundll32.exe processes (PIDs 5768,7552,1424) parented by p.exe PID 8260 with null command lines, and additional rundll32 (2216,4108,5452,5588,6768,8148) parented by powershell.exe PID 5848. Indicates defense-evasion via LOLBin proxy execution.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psscan
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:5768:SeCreateTokenPrivilege
vol_privileges
Raw tool output · 215fe2f22cc2ba452db3de10873da8997690a600
{"Attributes": "", "Description": "Create a token object", "PID": 5768, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · 26ad00e9480f01fd25b8e3ba41201b384ed4a24c
{"Attributes": "", "Description": "Replace a process-level token", "PID": 5768, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeLockMemoryPrivilege
vol_privileges
Raw tool output · bc3c4313d75046d6c30665f8d4535651445c5ea9
{"Attributes": "", "Description": "Lock pages in memory", "PID": 5768, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · d87c12969e74908b72f95edb66c3b1caf4be8b42
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 5768, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeMachineAccountPrivilege
vol_privileges
Raw tool output · 950e309b500051033355e30428ce02dd5fb95f0d
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 5768, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeTcbPrivilege
vol_privileges
Raw tool output · c4014396bb5927cbdd62a13898d3ccbf71e136bd
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 5768, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeSecurityPrivilege
vol_privileges
Raw tool output · 0d2eaf19c1e35cb7470708a6d7f3cfb97eb0e611
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 5768, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · e53d31c3259de5ee33762404658a70be76802d94
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 5768, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeLoadDriverPrivilege
vol_privileges
Raw tool output · e6a82a2852c6c6f39b96e3ec730dce30d044e60a
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 5768, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeSystemProfilePrivilege
vol_privileges
Raw tool output · d33f0dfe8301ccfa80ceff13e496e4adb7f54efb
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 5768, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeSystemtimePrivilege
vol_privileges
Raw tool output · cc8b886befe5ce5e9d4e6f00e02320bfc0d1a513
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 5768, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 54d787f5608850376f164b58f8a0855a8611a352
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 5768, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 08b535dfba012ff292b738bf1ce158a4966410eb
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 5768, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · 096d0045b3a02084df27dfc6c09f40eb33856025
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 5768, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · 8d974f511a51264caa90f407d502191c948ce9ea
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 5768, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeBackupPrivilege
vol_privileges
Raw tool output · 3068f8c4ff732ef7971012cb52a4b4be35663513
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 5768, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeRestorePrivilege
vol_privileges
Raw tool output · 0821b478e00f64432e552ba63f655f659418a961
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 5768, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeShutdownPrivilege
vol_privileges
Raw tool output · e6f3c507ed802de125e6966db51ba1062fba822d
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 5768, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeDebugPrivilege
vol_privileges
Raw tool output · e7930dfc0ba950a0b37285123119022ab6037684
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 5768, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeAuditPrivilege
vol_privileges
Raw tool output · 6c7036d83a5a6f48de11c5f5f6b2915743f04e4d
{"Attributes": "", "Description": "Generate security audits", "PID": 5768, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · 93dc39f51c8b68b85ef4d07bdb179071a3050fb6
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 5768, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · 8f361701293aa7f44684821491c7bbe680213ded
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 5768, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · cb664c3c4403940e9658f5957f14d0704088e77a
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 5768, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeUndockPrivilege
vol_privileges
Raw tool output · 2f1889d83f3665e180de58987e4339165258d3a4
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 5768, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeSyncAgentPrivilege
vol_privileges
Raw tool output · bd7f4f341ad8499fea7e8890ceec9f9c7891d5b4
{"Attributes": "", "Description": "Synch directory service data", "PID": 5768, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · 787239222fda7f3bd3522e24ca516c4bb05e249a
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 5768, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeManageVolumePrivilege
vol_privileges
Raw tool output · be8cb673e114afda4c7add257fae2be7f263a4c7
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 5768, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeImpersonatePrivilege
vol_privileges
Raw tool output · 5bdfe9d77bd42fdc5d2a8271130acf0ce8751bf7
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 5768, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · abe3b1791d370ad6b7ddf42381fa63faa4f8a792
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 5768, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · 803830c71724d09aa660e2dbcb9f5e986899b72f
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 5768, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeRelabelPrivilege
vol_privileges
Raw tool output · f998a07b6ba79bb83e747d245882a88130588231
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 5768, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · 0b5147c11ace1710765ea89ebcbd804ee28c69f1
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 5768, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeTimeZonePrivilege
vol_privileges
Raw tool output · ed3e4dad7a94f8effed1e61db660ffc1195e9877
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 5768, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · 00c13f4d246ad0a5c58a79b3c5f0f50acadb1c51
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 5768, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:5768:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 9c48f18c5fd085fd11ef1e905761d42be0e07a9f
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 5768, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:5768
vol_cmdline
Raw tool output · de3259d2be14acb504234dd14f3166d86a9dfce1
{"Args": null, "PID": 5768, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:5768
vol_psscanvol_pstree
Raw tool output · eb626521d27f70eccdeac2208cf95527d500f144
{"CreateTime": "2018-09-05T12:01:32+00:00", "ExitTime": "2018-09-05T12:01:40+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518827255040, "PID": 5768, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:5768->pid:8260
vol_psscanvol_pstree
Raw tool output · 7d05d8db57f370ecc0e62ab9820ccff1eda5db2d
{"CreateTime": "2018-09-05T12:01:32+00:00", "ExitTime": "2018-09-05T12:01:40+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518827255040, "PID": 5768, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 1da0e2a3320ff9b04e4ea059b62df19de54395d8
{"Name": "spsql", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · a0157ae461ba81ff7954c05a8f03433811ff7e0c
{"Name": "Domain Users", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:5768:S-1-1-0
vol_getsids
Raw tool output · 1f07d1bcfc8e94c7a6086c6c0f17cdfbc776efbf
{"Name": "Everyone", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-32-545
vol_getsids
Raw tool output · c1a49403c42f630200b73fd4bca8271401230fc1
{"Name": "Users", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-32-544
vol_getsids
Raw tool output · a3f0a04052a77c1a889a3184bcb2de65eb2c5089
{"Name": "Administrators", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-2
vol_getsids
Raw tool output · 50dfd71d4d692eaed7ff76e4cc56bd4fba78fe25
{"Name": "Network", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-11
vol_getsids
Raw tool output · e30c372ecf7ba653ff61907caa5d5243f27e8717
{"Name": "Authenticated Users", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-15
vol_getsids
Raw tool output · b8eedecae3ed8891656054ec49ff012e32e8a611
{"Name": "This Organization", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · ad598279e9b5ec681407491c7bbca918b0f0fdd2
{"Name": "Domain Admins", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:5768:S-1-18-1
vol_getsids
Raw tool output · 82370ac702213f55f61dfd33bb12b8432ad4c0c1
{"Name": "Authentication Authority Asserted Identity", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:5768:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 8afb11ffb7324d8168e421bc55c2887e0e8230cf
{"Name": null, "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:5768:S-1-16-12288
vol_getsids
Raw tool output · 124eed9baabefba0242f37d470fccab2701ac33d
{"Name": "High Mandatory Level", "PID": 5768, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_psscanvol_pstree