F041MEDIUMInconclusivevalidator: passed
WMIPrvSE.exe with SeImpersonatePrivilege enabled (Privilege Escalation / WMI Exploitation)
WMIPrvSE.exe with SeImpersonatePrivilege
Analyst narrative
WMIPrvSE.exe processes with SeImpersonatePrivilege enabled (default). Can be exploited via Rotten Potato or similar token theft attacks targeting WMI event subscriptions. Candidates cand-0012. Fact_ids: privilege_fact-0001532, privilege_fact-0003597, privilege_fact-0003632, privilege_fact-0004332.
Claims asserted
process_privilege_enabledWMIPrvSE.exe with SeImpersonatePrivilegevol_privileges
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_privileges