F010Suspiciousvalidator: blocked
Conhost.exe with elevated sensitive privileges (SeDebug, SeImpersonate, SeLoadDriver)
conhost.exe with elevated sensitive privileges
Analyst narrative
Multiple conhost.exe (console host) process instances hold enabled sensitive privileges including SeImpersonatePrivilege, SeDebugPrivilege, SeTakeOwnershipPrivilege, SeRestorePrivilege, SeLoadDriverPrivilege, SeBackupPrivilege (fact_ids: privilege_fact-0001672, privilege_fact-0003457, privilege_fact-0003527, privilege_fact-0003807, and others). This indicates potential privilege escalation (TA0004) or defense evasion via console host process manipulation. Candidates: cand-0019-0026.
Claims asserted
process_existsconhost_elevated_privileges
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_privileges