Veritas
F036MEDIUMSuspiciousvalidator: passed

Defense evasion via rundll32 with null command lines

rundll32.exe children with null command lines spawned by p.exe and powershell

⚖ The AI did not get the final word
Model / ReAct proposed
Confirmed malicious
Veritas (deterministic) verdict
Suspicious
Promotion withheld because
  • gate:confirmed_ineligible[rwx_memory_region_uncorroborated,weak_alone_signal_uncorroborated]
  • MALICIOUS_SEMANTIC_GATE=FAIL
  • RWX_REQUIRES_CORROBORATION_GATE=FAIL
Analyst narrative

Numerous rundll32.exe instances (PIDs 5768, 7552, 1424 parented to p.exe 8260; 2216, 5452, 4108, 6768, 5588, 8148 parented to powershell.exe 5848) have null command lines, consistent with injection / proxied execution. cand-0005/cand-0001.

Claims asserted

pid-vol_pstreevol_cmdlinevol_psscan
user_accountspsql

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

privilege factprivilege:pid:1424:SeCreateTokenPrivilege
vol_privileges
Raw tool output · c909e68a72bfb6b97a2d87689d71fae933e165d8
{"Attributes": "", "Description": "Create a token object", "PID": 1424, "Privilege": "SeCreateTokenPrivilege", "Process": "rundll32.exe", "Value": 2, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeAssignPrimaryTokenPrivilege
vol_privileges
Raw tool output · a37016ac0f0a02e9aa8dbaa087269c2ab125c70b
{"Attributes": "", "Description": "Replace a process-level token", "PID": 1424, "Privilege": "SeAssignPrimaryTokenPrivilege", "Process": "rundll32.exe", "Value": 3, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeLockMemoryPrivilege
vol_privileges
Raw tool output · 45d98549d1eb4b73972c584fc9509c4a224caac9
{"Attributes": "", "Description": "Lock pages in memory", "PID": 1424, "Privilege": "SeLockMemoryPrivilege", "Process": "rundll32.exe", "Value": 4, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeIncreaseQuotaPrivilege
vol_privileges
Raw tool output · 250d4ef7c9516c8338d1e5a70c43832f1bc3d9df
{"Attributes": "Present,Enabled,Default", "Description": "Increase quotas", "PID": 1424, "Privilege": "SeIncreaseQuotaPrivilege", "Process": "rundll32.exe", "Value": 5, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeMachineAccountPrivilege
vol_privileges
Raw tool output · eb119a1f17379673154891ecace16a48fff71e82
{"Attributes": "", "Description": "Add workstations to the domain", "PID": 1424, "Privilege": "SeMachineAccountPrivilege", "Process": "rundll32.exe", "Value": 6, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeTcbPrivilege
vol_privileges
Raw tool output · 6336931a9b31ac6e7e1ff5aa37dcba11343cad12
{"Attributes": "", "Description": "Act as part of the operating system", "PID": 1424, "Privilege": "SeTcbPrivilege", "Process": "rundll32.exe", "Value": 7, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeSecurityPrivilege
vol_privileges
Raw tool output · 75539fff5619039593d3fe9c50147a2ba4214a1e
{"Attributes": "Present,Enabled,Default", "Description": "Manage auditing and security log", "PID": 1424, "Privilege": "SeSecurityPrivilege", "Process": "rundll32.exe", "Value": 8, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeTakeOwnershipPrivilege
vol_privileges
Raw tool output · 4744de5bb6a46f6cb8689bbeac4e353900f05c9c
{"Attributes": "Present,Enabled,Default", "Description": "Take ownership of files/objects", "PID": 1424, "Privilege": "SeTakeOwnershipPrivilege", "Process": "rundll32.exe", "Value": 9, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeLoadDriverPrivilege
vol_privileges
Raw tool output · 42dfeed6b0041973fc2e7b52907970ada47902b4
{"Attributes": "Present,Enabled,Default", "Description": "Load and unload device drivers", "PID": 1424, "Privilege": "SeLoadDriverPrivilege", "Process": "rundll32.exe", "Value": 10, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeSystemProfilePrivilege
vol_privileges
Raw tool output · a8da54e4dd14b4b907b69ddc93e6005e47d14649
{"Attributes": "Present,Enabled,Default", "Description": "Profile system performance", "PID": 1424, "Privilege": "SeSystemProfilePrivilege", "Process": "rundll32.exe", "Value": 11, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeSystemtimePrivilege
vol_privileges
Raw tool output · 0b126585d85d33520986236aa9b0544e277ba267
{"Attributes": "Present,Enabled,Default", "Description": "Change the system time", "PID": 1424, "Privilege": "SeSystemtimePrivilege", "Process": "rundll32.exe", "Value": 12, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeProfileSingleProcessPrivilege
vol_privileges
Raw tool output · f5b3e76fe8fcbbbbdadf2bfdd70e88ce0d873aa5
{"Attributes": "Present,Enabled,Default", "Description": "Profile a single process", "PID": 1424, "Privilege": "SeProfileSingleProcessPrivilege", "Process": "rundll32.exe", "Value": 13, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeIncreaseBasePriorityPrivilege
vol_privileges
Raw tool output · 314302037915e134d0387277100f97b1036c7dd4
{"Attributes": "Present,Enabled,Default", "Description": "Increase scheduling priority", "PID": 1424, "Privilege": "SeIncreaseBasePriorityPrivilege", "Process": "rundll32.exe", "Value": 14, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeCreatePagefilePrivilege
vol_privileges
Raw tool output · a16cd4aab2a2836cdd9492184b5b9e5ab81be3f5
{"Attributes": "Present,Enabled,Default", "Description": "Create a pagefile", "PID": 1424, "Privilege": "SeCreatePagefilePrivilege", "Process": "rundll32.exe", "Value": 15, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeCreatePermanentPrivilege
vol_privileges
Raw tool output · 697fca22b510d55b070d38d7d480c48685064ed0
{"Attributes": "", "Description": "Create permanent shared objects", "PID": 1424, "Privilege": "SeCreatePermanentPrivilege", "Process": "rundll32.exe", "Value": 16, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeBackupPrivilege
vol_privileges
Raw tool output · 1510ea03b8486994e27aae32cafe6e3c302ddb20
{"Attributes": "Present,Enabled,Default", "Description": "Backup files and directories", "PID": 1424, "Privilege": "SeBackupPrivilege", "Process": "rundll32.exe", "Value": 17, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeRestorePrivilege
vol_privileges
Raw tool output · 36594d3239c1e44ae66370c626f9e27b5fcd96c3
{"Attributes": "Present,Enabled,Default", "Description": "Restore files and directories", "PID": 1424, "Privilege": "SeRestorePrivilege", "Process": "rundll32.exe", "Value": 18, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeShutdownPrivilege
vol_privileges
Raw tool output · 2063e2a4da84354890fd053b86008bb7efb103bf
{"Attributes": "Present,Enabled,Default", "Description": "Shut down the system", "PID": 1424, "Privilege": "SeShutdownPrivilege", "Process": "rundll32.exe", "Value": 19, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeDebugPrivilege
vol_privileges
Raw tool output · e715d14d24a1c4e8c75c984a0b4d20177f323b44
{"Attributes": "Present,Enabled,Default", "Description": "Debug programs", "PID": 1424, "Privilege": "SeDebugPrivilege", "Process": "rundll32.exe", "Value": 20, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeAuditPrivilege
vol_privileges
Raw tool output · 6a17f46886d0a6f071ed52b9ee9aaec5d49f16bb
{"Attributes": "", "Description": "Generate security audits", "PID": 1424, "Privilege": "SeAuditPrivilege", "Process": "rundll32.exe", "Value": 21, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeSystemEnvironmentPrivilege
vol_privileges
Raw tool output · 2cfcfa103537eab5e96808f4df51d93111117e50
{"Attributes": "Present,Enabled,Default", "Description": "Edit firmware environment values", "PID": 1424, "Privilege": "SeSystemEnvironmentPrivilege", "Process": "rundll32.exe", "Value": 22, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeChangeNotifyPrivilege
vol_privileges
Raw tool output · 06d16a7e0ca40fad32314a681fede883fdd6f83a
{"Attributes": "Present,Enabled,Default", "Description": "Receive notifications of changes to files or directories", "PID": 1424, "Privilege": "SeChangeNotifyPrivilege", "Process": "rundll32.exe", "Value": 23, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeRemoteShutdownPrivilege
vol_privileges
Raw tool output · 456f99558b35c5b624f79f04c98833fc417a7d5a
{"Attributes": "Present,Enabled,Default", "Description": "Force shutdown from a remote system", "PID": 1424, "Privilege": "SeRemoteShutdownPrivilege", "Process": "rundll32.exe", "Value": 24, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeUndockPrivilege
vol_privileges
Raw tool output · efdc416e07f6f365032c08a2388fc8358b0d046f
{"Attributes": "Present,Enabled,Default", "Description": "Remove computer from docking station", "PID": 1424, "Privilege": "SeUndockPrivilege", "Process": "rundll32.exe", "Value": 25, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeSyncAgentPrivilege
vol_privileges
Raw tool output · 21c2b3e6539c3907c125e3b30dc8cb0898bd17e9
{"Attributes": "", "Description": "Synch directory service data", "PID": 1424, "Privilege": "SeSyncAgentPrivilege", "Process": "rundll32.exe", "Value": 26, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeEnableDelegationPrivilege
vol_privileges
Raw tool output · b19bca7ad3c0ef65497b459f79a04f6bfed26976
{"Attributes": "", "Description": "Enable user accounts to be trusted for delegation", "PID": 1424, "Privilege": "SeEnableDelegationPrivilege", "Process": "rundll32.exe", "Value": 27, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeManageVolumePrivilege
vol_privileges
Raw tool output · 63b66645f9f344bee02e3dc520a93c15ef038558
{"Attributes": "Present,Enabled,Default", "Description": "Manage the files on a volume", "PID": 1424, "Privilege": "SeManageVolumePrivilege", "Process": "rundll32.exe", "Value": 28, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeImpersonatePrivilege
vol_privileges
Raw tool output · 22261a56e5e3aac0deca681d6eb302ce76f60fea
{"Attributes": "Present,Enabled,Default", "Description": "Impersonate a client after authentication", "PID": 1424, "Privilege": "SeImpersonatePrivilege", "Process": "rundll32.exe", "Value": 29, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeCreateGlobalPrivilege
vol_privileges
Raw tool output · b1c530513cc33aa40e6e10cfd9b713bf6f620589
{"Attributes": "Present,Enabled,Default", "Description": "Create global objects", "PID": 1424, "Privilege": "SeCreateGlobalPrivilege", "Process": "rundll32.exe", "Value": 30, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeTrustedCredManAccessPrivilege
vol_privileges
Raw tool output · b1ca67cd9388696a4712f790362673711622deab
{"Attributes": "", "Description": "Access Credential Manager as a trusted caller", "PID": 1424, "Privilege": "SeTrustedCredManAccessPrivilege", "Process": "rundll32.exe", "Value": 31, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeRelabelPrivilege
vol_privileges
Raw tool output · c8fd68575f3b1aee5790901905bc8d8700156fd4
{"Attributes": "", "Description": "Modify the mandatory integrity level of an object", "PID": 1424, "Privilege": "SeRelabelPrivilege", "Process": "rundll32.exe", "Value": 32, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeIncreaseWorkingSetPrivilege
vol_privileges
Raw tool output · 0b9a242fd6d00319ece7ee5db826dd9c71e78470
{"Attributes": "Present,Enabled,Default", "Description": "Allocate more memory for user applications", "PID": 1424, "Privilege": "SeIncreaseWorkingSetPrivilege", "Process": "rundll32.exe", "Value": 33, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeTimeZonePrivilege
vol_privileges
Raw tool output · c852421f1b21a53a8da11e2d1c1c5a590a8a3aac
{"Attributes": "Present,Enabled,Default", "Description": "Adjust the time zone of the computer's internal clock", "PID": 1424, "Privilege": "SeTimeZonePrivilege", "Process": "rundll32.exe", "Value": 34, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeCreateSymbolicLinkPrivilege
vol_privileges
Raw tool output · 97af934b3ec3bb170a1b0932ff71ad33437c2622
{"Attributes": "Present,Enabled,Default", "Description": "Required to create a symbolic link", "PID": 1424, "Privilege": "SeCreateSymbolicLinkPrivilege", "Process": "rundll32.exe", "Value": 35, "TreeDepth": 0}
privilege factprivilege:pid:1424:SeDelegateSessionUserImpersonatePrivilege
vol_privileges
Raw tool output · afb8141ce2bca5dc9f918ea7a5750de15f20f9bd
{"Attributes": "Present,Enabled,Default", "Description": "Obtain an impersonation token for another user in the same session.", "PID": 1424, "Privilege": "SeDelegateSessionUserImpersonatePrivilege", "Process": "rundll32.exe", "Value": 36, "TreeDepth": 0}
process cmdline factcmdline:pid:1424
vol_cmdline
Raw tool output · 382f77b17227cd615ae90af2beeb0530f8e20968
{"Args": null, "PID": 1424, "Process": "rundll32.exe", "TreeDepth": 0}
process factpid:1424
vol_psscanvol_pstree
Raw tool output · bff590bc126072fa1a717be84b306de9f651018b
{"CreateTime": "2018-09-06T14:58:41+00:00", "ExitTime": "2018-09-06T14:58:45+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518818256256, "PID": 1424, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
process relationship factpid:1424->pid:8260
vol_psscanvol_pstree
Raw tool output · febc45b9fae5bb08557c5905be612ab65b405f1d
{"CreateTime": "2018-09-06T14:58:41+00:00", "ExitTime": "2018-09-06T14:58:45+00:00", "File output": "Disabled", "Handles": null, "ImageFileName": "rundll32.exe", "Offset(V)": 154518818256256, "PID": 1424, "PPID": 8260, "SessionId": 0, "Threads": 0, "Wow64": false, "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-21-3445421715-2530590580-3149308974-1193
vol_getsids
Raw tool output · c833db9d79885198cc245300c11769f17bc78e0a
{"Name": "spsql", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-1193", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-21-3445421715-2530590580-3149308974-513
vol_getsids
Raw tool output · 1ce5a619da1c8939c7068432314e6c5b3f8a2680
{"Name": "Domain Users", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-513", "TreeDepth": 0}
sid factsid:pid:1424:S-1-1-0
vol_getsids
Raw tool output · 9f41348637997b22a0926cf055261399c7ad8b23
{"Name": "Everyone", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-1-0", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-32-545
vol_getsids
Raw tool output · 7cb5a2a6076d2914710495e622573583c228b73b
{"Name": "Users", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-32-545", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-32-544
vol_getsids
Raw tool output · 5070584108c3faabd02254b2da613ac6d71a194f
{"Name": "Administrators", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-32-544", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-2
vol_getsids
Raw tool output · 8e20b4e6b8f80278922b1d2d780f410e27ca7b09
{"Name": "Network", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-2", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-11
vol_getsids
Raw tool output · b981478b4d4c40f8f74ac586bf175c6c01195bff
{"Name": "Authenticated Users", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-11", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-15
vol_getsids
Raw tool output · 8e3426aadcbbc5a6fd1c29abe8a0819a201117ac
{"Name": "This Organization", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-15", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-21-3445421715-2530590580-3149308974-512
vol_getsids
Raw tool output · 289d654322f71a81318783f21c638311dd65d84b
{"Name": "Domain Admins", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-512", "TreeDepth": 0}
sid factsid:pid:1424:S-1-18-1
vol_getsids
Raw tool output · faef77c8ab070fc05a8de508a81ad5c41ee7614f
{"Name": "Authentication Authority Asserted Identity", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-18-1", "TreeDepth": 0}
sid factsid:pid:1424:S-1-5-21-3445421715-2530590580-3149308974-572
vol_getsids
Raw tool output · 422059de79a827bd949d384476b2f40ee1eb723a
{"Name": null, "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-5-21-3445421715-2530590580-3149308974-572", "TreeDepth": 0}
sid factsid:pid:1424:S-1-16-12288
vol_getsids
Raw tool output · be6c9f1b23076de9ff27a38c03df6c7a1834f220
{"Name": "High Mandatory Level", "PID": 1424, "Process": "rundll32.exe", "SID": "S-1-16-12288", "TreeDepth": 0}

Source tools

vol_cmdlinevol_psscanvol_pstree