Veritas
F035MEDIUMSuspiciousvalidator: passed

Defense evasion via rundll32 with null command lines

rundll32.exe children with null command lines spawned by p.exe and powershell

⚖ The AI did not get the final word
Model / ReAct proposed
Confirmed malicious
Veritas (deterministic) verdict
Suspicious
Promotion withheld because
  • gate:confirmed_ineligible[rwx_memory_region_uncorroborated,weak_alone_signal_uncorroborated]
  • MALICIOUS_SEMANTIC_GATE=FAIL
  • RWX_REQUIRES_CORROBORATION_GATE=FAIL
Analyst narrative

Numerous rundll32.exe instances (PIDs 5768, 7552, 1424 parented to p.exe 8260; 2216, 5452, 4108, 6768, 5588, 8148 parented to powershell.exe 5848) have null command lines, consistent with injection / proxied execution. cand-0005/cand-0001.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psscan
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:7552:SeCreateTokenPrivilege
vol_privileges
Raw tool output · cb93949880991a13e3d59381e4da33006c1f2f18
{"Attributes": "", "Description": "Create a token object", "PID": 7552, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · 695429f262468190f517200737f545ccb1a78aad
{"Attributes": "", "Description": "Replace a process-level token", "PID": 7552, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeLockMemoryPrivilege
vol_privileges
Raw tool output · f201587ac3ef612735553334a5a34854a434de7a
{"Attributes": "", "Description": "Lock pages in memory", "PID": 7552, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · 224735564d05a13373c5df3e2055ce5212670dcc
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 7552, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeMachineAccountPrivilege
vol_privileges
Raw tool output · dc4a29b62f6937e7f7e091196a75d560e6a36113
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 7552, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeTcbPrivilege
vol_privileges
Raw tool output · f726e5733d145f190345e0024d945874efa90ea7
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 7552, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeSecurityPrivilege
vol_privileges
Raw tool output · cc49bb7ee16b7f14ca3624b44faea4caa3342079
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 7552, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · c644ff976c9c4bf9191a0fedfc022ea93398ec28
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 7552, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeLoadDriverPrivilege
vol_privileges
Raw tool output · a4bdaf4fdcdcdef8d58593ecf1c21be16e4f6db1
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 7552, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeSystemProfilePrivilege
vol_privileges
Raw tool output · bc43897ec30d0666872a8352e418fe321f451a40
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 7552, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeSystemtimePrivilege
vol_privileges
Raw tool output · baf4f891b9b2a23bd103f26c4a23f62ac6f59530
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 7552, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · 1e1ba7b694f4d0df75d2409657a4b3e0edbbd64b
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 7552, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 7608567ac246ef0703d00e90c85fb5b2ed18610f
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 7552, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · 4f0b1a14f791547d83b760348ee889e798329b9e
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 7552, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · c181b2eb3b0e32cb9797bf11bde6a27fbba06db4
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 7552, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeBackupPrivilege
vol_privileges
Raw tool output · 12e7d563a40115b1845452d608bc0752e94f5d36
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 7552, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeRestorePrivilege
vol_privileges
Raw tool output · a1e734e65671a3386ca166868f4238192bef44a9
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 7552, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeShutdownPrivilege
vol_privileges
Raw tool output · e176bdacc77d9d906b775ad6334f60d9202a94d2
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 7552, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeDebugPrivilege
vol_privileges
Raw tool output · b92dc0d6a1c5aa5f3a0ac517145ff0f0bb9e32b2
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 7552, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeAuditPrivilege
vol_privileges
Raw tool output · 4a56b080a5c71c29eb423362cdfb9cdc3d4e4479
{"Attributes": "", "Description": "Generate security audits", "PID": 7552, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · 3b33e8727a19bee2d21783891b888f6264d09731
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 7552, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · 5125af8356939cad8f8e9343d7e57d93b2af8247
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 7552, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 166fe1d6431c8495e2a70c16e69e57190ccc24f6
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 7552, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeUndockPrivilege
vol_privileges
Raw tool output · 290765f70842ffaf17d1edf243b5e69b0bddbbef
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 7552, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 213b636d3fbd5919d58a6801281a00c1d8cdbc2e
{"Attributes": "", "Description": "Synch directory service data", "PID": 7552, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · e5899341593d7ad072c48e69347543765491d1ee
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 7552, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeManageVolumePrivilege
vol_privileges
Raw tool output · 4c769f654cd5f3490c0ce370761e3af39913ade4
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 7552, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeImpersonatePrivilege
vol_privileges
Raw tool output · 4a4f76c42273114f94ab71820b08975334afc988
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 7552, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · a115ebc9c682e9ab89f9f458f8c64776e44d264b
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 7552, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · ba6e99e6c7c59563a1994fa6f53585997e042b6e
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 7552, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeRelabelPrivilege
vol_privileges
Raw tool output · 1d4633cfb281ed2c72ed66a6830b57d8cacda6ed
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 7552, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · 01e672d4fb3cd522de69d4d804f97aa48a1cee26
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 7552, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeTimeZonePrivilege
vol_privileges
Raw tool output · d4124a115b20f1deb16944ac5dbe184936c742e7
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 7552, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · 9b6f8c7b9e8e21af52ada0a6795d47e9a9f8e465
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 7552, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:7552:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · 05cf23e948ed7ac5ecae61b7bc17c61e106723b2
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 7552, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:7552
vol_cmdline
Raw tool output · 9102e084011378a6bcbce3807351f2036fa496a4
{"Args": null, "PID": 7552, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:7552
vol_psscanvol_pstree
Raw tool output · 3fd68dea92de5835270dea9bc15c32016cc50fd5
{"CreateTime": "2018-09-06T17:26:32+00:00", "ExitTime": "2018-09-06T17:26:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518825205888, "PID": 7552, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:7552->pid:8260
vol_psscanvol_pstree
Raw tool output · 4d065905ef79674ce31fb702b8df604d89085f68
{"CreateTime": "2018-09-06T17:26:32+00:00", "ExitTime": "2018-09-06T17:26:35+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518825205888, "PID": 7552, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · 4a6b6926bf7b7d60eff9cd814ec07ceb990091d6
{"Name": "spsql", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 9918b50360a1b4c8e781e46bee5601b8aba2dda2
{"Name": "Domain Users", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:7552:S-1-1-0
vol_getsids
Raw tool output · ccc5d7aef9f9f40c053482d3ada6620ed766ec25
{"Name": "Everyone", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-32-545
vol_getsids
Raw tool output · 192feebcad420564e1100e2b1c0203bc62dd1957
{"Name": "Users", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-32-544
vol_getsids
Raw tool output · a92d3f78fe076a01978729bdae1af5f9a71d0426
{"Name": "Administrators", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-2
vol_getsids
Raw tool output · bade910085d1338562fc1fe6b026742e9728a0cb
{"Name": "Network", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-11
vol_getsids
Raw tool output · 080bad890a91de203c5933985c3b5cdbe5a48dba
{"Name": "Authenticated Users", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-15
vol_getsids
Raw tool output · a08aca3bc708c7ee4a240d6fa2e33fe50b884717
{"Name": "This Organization", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · b6eae646d00832024c2aeec095467eba8ed160e3
{"Name": "Domain Admins", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:7552:S-1-18-1
vol_getsids
Raw tool output · dc9c737744664e10fbc94372cea7a17923d3f440
{"Name": "Authentication Authority Asserted Identity", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:7552:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 86166dec083daaae4ee2251494cf811e405c352d
{"Name": null, "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:7552:S-1-16-12288
vol_getsids
Raw tool output · ecd1f5b8895a6c2d544cac2d857eea233e0e3308
{"Name": "High Mandatory Level", "PID": 7552, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_psscanvol_pstree