F039MEDIUMInconclusivevalidator: passed
Safe boot registry alternate shell persistence (Privilege Escalation / Persistence)
Registry: HKLM/System/ControlSet*/Control/SafeBoot/AlternateShell
Analyst narrative
Registry keys HKLM\System\ControlSet001\Control\SafeBoot\AlternateShell and ControlSet002 variant configured, indicating potential boot-time persistence mechanism. Candidate cand-0099, cand-0100. Fact_ids: registry_persistence_fact-0003188, registry_persistence_fact-0001592.
Claims asserted
pathHKLM\System\ControlSet001\Control\SafeBoot\AlternateShellparse_registry_persistence
Proof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
⌘registry persistence factreg:hklm/system/controlset001/control/safebootparse_registry_persistence›
registry persistence fact
reg:hklm/system/controlset001/control/safebootparse_registry_persistence
Raw tool output · 30b2ab7f41f054569b7ea21f9a1c37916940a363
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM", "hive_type": "SYSTEM", "registry_path": "HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot", "value_name": "AlternateShell", "value_data": "cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "safeboot", "control_set": "ControlSet001", "is_active_controlset": true, "user_profile": null, "last_write_time": "2013-08-22T14:48:12.482893+00:00", "evidence_type": "registry_persistence", "raw_excerpt": "{\"registry_path\": \"HKLM\\\Source tools
parse_registry_persistence