F012Suspiciousvalidator: blocked
PsExec service persistence detected in registry
Registry persistence: HKLM\System\ControlSet00X\Services\PSEXESVC\ImagePath
Analyst narrative
PSEXESVC (PsExec service) is registered in both ControlSet001 and ControlSet002 with ImagePath referencing the remote execution tool. This indicates persistence mechanism for remote code execution and lateral movement.
Claims asserted
pathPSEXESVC service registry
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_registry_persistence