F042MEDIUMBenign / FPvalidator: passed
Conhost.exe with SeDebugPrivilege and SeImpersonatePrivilege (Privilege Escalation Context)
conhost.exe with elevated privilege flags
Analyst narrative
Conhost.exe (console host) processes with SeDebugPrivilege and SeImpersonatePrivilege enabled. Unusual privilege elevation for console process indicates potential exploitation or misuse. Candidates cand-0019, cand-0020, cand-0023, cand-0024, cand-0025, cand-0026. Fact_ids: privilege_fact-0001672, privilege_fact-0003457, privilege_fact-0003527, privilege_fact-0003807.
Claims asserted
process_privilege_enabledconhost.exe with SeDebugPrivilegevol_privileges
user_accountspsql
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_privileges