Veritas
F023MEDIUMSuspiciousvalidator: passed

Multiple rundll32 children with null command lines (injection/evasion)

rundll32.exe processes spawned with null command lines

Analyst narrative

Numerous rundll32.exe processes spawned from powershell.exe PID 5848 and p.exe PID 8260 with null command lines and short lifetimes - indicative of process injection / defense evasion.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psscan
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:6768:SeCreateTokenPrivilege
vol_privileges
Raw tool output · 91209bed11c17388e75b44d5f7a65fc21c0ae429
{"Attributes": "", "Description": "Create a token object", "PID": 6768, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · a6448e4797ee359c6dce9c00236f547448410c10
{"Attributes": "", "Description": "Replace a process-level token", "PID": 6768, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeLockMemoryPrivilege
vol_privileges
Raw tool output · 3b846fbd7e6671c56c16f0771f22027500875126
{"Attributes": "", "Description": "Lock pages in memory", "PID": 6768, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · e988bf0eefbbf2c546c1fef4af6818c03a622671
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 6768, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeMachineAccountPrivilege
vol_privileges
Raw tool output · d63fb600cb55c54e2639bba7329119c6acd5c33b
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 6768, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeTcbPrivilege
vol_privileges
Raw tool output · a94988f29b3b90678a54e0caeaec89877da7cc41
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 6768, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeSecurityPrivilege
vol_privileges
Raw tool output · 98b1b217861fb8dfc1d51fe495f6f4547820a4d6
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 6768, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · d94cd196aefab13a76035de696a33fc07d528783
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 6768, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeLoadDriverPrivilege
vol_privileges
Raw tool output · 9b0e3c9c8ecc94ed2c187139cea69db81a4ae757
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 6768, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeSystemProfilePrivilege
vol_privileges
Raw tool output · f76f7d55a80b7ae65d2b26fa7c84f8e32dd8a417
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 6768, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeSystemtimePrivilege
vol_privileges
Raw tool output · 86dd44c07cb6a7e9b666cdf32fa425b73d50ce79
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 6768, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 7d8bf856b597b0f045ee971654cd9ea58b7bb616
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 6768, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · fb2dda586866c34f93d0f4fe21d2118929295470
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 6768, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · c8c1d0f7c095abfcadb5c3f4fdb9cb366f7c7c08
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 6768, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · 65ed1402186165998bb54d3dc0199c2b6a6bc66e
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 6768, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeBackupPrivilege
vol_privileges
Raw tool output · afd78f9937189a9db0c0b5d659fc139dea7d3de0
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 6768, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeRestorePrivilege
vol_privileges
Raw tool output · 5d400a9af22cab882a090b9d14d4d5d511520619
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 6768, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeShutdownPrivilege
vol_privileges
Raw tool output · 1e53fe08296c67506ae8b890825a08e2f7bd5c0a
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 6768, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeDebugPrivilege
vol_privileges
Raw tool output · 769d27be99078842e8262ce3bf33f2bdc093f01f
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 6768, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeAuditPrivilege
vol_privileges
Raw tool output · 88f2f7ecd61135aaa8c083394827c53b8321b91f
{"Attributes": "", "Description": "Generate security audits", "PID": 6768, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · faed8736316efb12413b9dfcd3ef3b2e90cf7865
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 6768, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · d60fd573cab744cdcf727e61515aa968ce77036d
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 6768, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 0856232b3f5f9b74df3acbbba7c1a78f533bbec1
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 6768, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeUndockPrivilege
vol_privileges
Raw tool output · bc4211cbedcc496b5bb594bd8f6be38e20766c04
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 6768, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeSyncAgentPrivilege
vol_privileges
Raw tool output · be4122a5b65ce516c6933d29ebf19e8dcd8cc337
{"Attributes": "", "Description": "Synch directory service data", "PID": 6768, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · dd3b722145e9b10fbfe25f0a449df4227eccc9b2
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 6768, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeManageVolumePrivilege
vol_privileges
Raw tool output · 201fcdddea4961cd3befbf5d7963914270fcb809
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 6768, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeImpersonatePrivilege
vol_privileges
Raw tool output · 181bf2faa961651f07f35b80dd15430f0bc923c7
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 6768, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · 2484ca581aa1610c8c964b229241be795b948a36
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 6768, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · f49f409516f7d677129adb6f9b7c262290a1cb0a
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 6768, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeRelabelPrivilege
vol_privileges
Raw tool output · 6a048cbfcbb7cd65c049d98fec2bab3821e6b883
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 6768, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · d62ed2d9b7814a0e8f836f1c3df9d07b44a46c11
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 6768, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeTimeZonePrivilege
vol_privileges
Raw tool output · 203b3a28f39155c6a967cb923785908fccc7df54
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 6768, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · c8446e4936d08dacd3425c637ca31ed049880171
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 6768, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:6768:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · f574ffb6cf0bc0f85146136df1515dad9390911e
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 6768, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:6768
vol_cmdline
Raw tool output · 1074bcaa68ab25917d7ecdaf88673e1671b2c84b
{"Args": null, "PID": 6768, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:6768
vol_psscanvol_pstree
Raw tool output · 4129191b194a26a413ecdc40cc13173f81cfa7d1
{"CreateTime": "2018-08-30T18:31:04+00:00", "ExitTime": "2018-08-30T18:31:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518691087552, "PID": 6768, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
process relationship factpid:6768->pid:5848
vol_psscanvol_pstree
Raw tool output · d0b8ce336f24ae13c72fc35d440b4f6ca4588998
{"CreateTime": "2018-08-30T18:31:04+00:00", "ExitTime": "2018-08-30T18:31:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518691087552, "PID": 6768, "PPID": 5848, "SessionId": 0, "Threads": 0, "Wow64": true, "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 57e693a2d9789f3a09a83cb9dca44676ea55131f
{"Name": "spsql", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · c7af4faede0dd9f35fa00f34e2faae20598a8162
{"Name": "Domain Users", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:6768:S-1-1-0
vol_getsids
Raw tool output · 48433fd1076a27b648e1be902da5747904fc1a0a
{"Name": "Everyone", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-32-545
vol_getsids
Raw tool output · e992e4f4c3748fe550cd66d3c8495587df6ada26
{"Name": "Users", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-32-544
vol_getsids
Raw tool output · c5512ffbb8396b1a563cab00fc8341407a9ccf84
{"Name": "Administrators", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-2
vol_getsids
Raw tool output · 7b1a25cf521ee02af370bc66c87ad11d3f8cea0b
{"Name": "Network", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-11
vol_getsids
Raw tool output · 9817f61a476c4f3657333aa79203625b0af87204
{"Name": "Authenticated Users", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-15
vol_getsids
Raw tool output · 278c2cca7950882cef73f574753048b837d4939b
{"Name": "This Organization", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · 79a52c05df67daf4d43beed0862f1142c9f2b647
{"Name": "Domain Admins", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:6768:S-1-18-1
vol_getsids
Raw tool output · 5cf989112d0f9eee26e653bd5743f277171d3ddc
{"Name": "Authentication Authority Asserted Identity", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:6768:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 1cf8e7807b7de1febc2013f743b4d640bcd014f9
{"Name": null, "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:6768:S-1-16-12288
vol_getsids
Raw tool output · f0f4d2680421586da89569555aed17745ca6b8fb
{"Name": "High Mandatory Level", "PID": 6768, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_psscanvol_pstree