F032LOWBenign / FPvalidator: passed

WmiPrvSE elevated privilege context with SeImpersonate and SeDebug enabled (TA0004: Privilege Escalation, TA0005: Defense Evasion)

WmiPrvSE.exe

Analyst narrative

WmiPrvSE.exe processes hold enabled SeImpersonate, SeDebug, and SeLoadDriver privileges. This privilege combination is used in token theft and process injection attacks such as Mimikatz.

Claims asserted

pid-vol_privileges

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:2876:event:4

vol_handles

›

Raw tool output · d29b5493556e0bb75ec7196f40d33b3eafddb5b3

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518758722992, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:waitcompletionpacket:8

vol_handles

›

Raw tool output · c8f2b9c7b11aea881539181738adb6964af154bc

{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518758694240, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:iocompletion:12

vol_handles

›

Raw tool output · 1bfe2c87ea1bd27e7b75c081488c5410e7dfac28

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518758125440, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:tpworkerfactory:16

vol_handles

›

Raw tool output · 6be089fa2d3009a018cedc9ed53d6d2062b418b0

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518758266992, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:irtimer:20

vol_handles

›

Raw tool output · a379e063e0f6bad1f82ff848a85fe6fe069efd30

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518750006864, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:waitcompletionpacket:24

vol_handles

›

Raw tool output · f9eccd9cae8c95ae5bdb1ff1f55adf6e922760dd

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518758766112, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:irtimer:28

vol_handles

›

Raw tool output · 8f5150abb6ad040837ffec329a166bc57f19a52f

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518758406400, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:waitcompletionpacket:32

vol_handles

›

Raw tool output · ddec52d0d3a219a348cecdafc90d3ce0b94cb97e

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518758798912, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:36

vol_handles

›

Raw tool output · bc62c9c1249fc81bd3ebb446ce88dd37fad887e8

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518758567264, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:40

vol_handles

›

Raw tool output · 70e1cc3fa0ee6fc6acf3212b978034c73108e9a5

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518758140960, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:44

vol_handles

›

Raw tool output · cfb3354f52f3813a1fc1c043ac485f784760afdf

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518758141184, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:directory:knowndlls

vol_handles

›

Raw tool output · 9c739467224979c5857411aef148f8df260089ab

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:52

vol_handles

›

Raw tool output · 49bd70a099058016b0c2795c8742448952448c80

{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518758631728, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:56

vol_handles

›

Raw tool output · 702416160359f6a4efe519e4d606db0b507b92ec

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518758801376, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:file:\device\harddiskvolume2\windows\system32

vol_handles

›

Raw tool output · c263763d1f55f0cf3b8c2cf4853bf8049158f5f2

{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32", "Offset": 154518758570480, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:64

vol_handles

›

Raw tool output · eb266ecd502a79c21394cf51826d90febcce712d

{"GrantedAccess": 2052, "HandleValue": 64, "Name": null, "Offset": 154518758221568, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:68

vol_handles

›

Raw tool output · 8e9e7a1e55ef0f72d66c13f290e82df995f98df0

{"GrantedAccess": 2052, "HandleValue": 68, "Name": null, "Offset": 154518758221792, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:alpc port:72

vol_handles

›

Raw tool output · a9c76971d5dc93f31799c050383524ecb1765727

{"GrantedAccess": 2031617, "HandleValue": 72, "Name": null, "Offset": 154518758809712, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:iocompletion:76

vol_handles

›

Raw tool output · 74bab965cd765d70384ec6f92b62ec7100c25bf3

{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518714304448, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:tpworkerfactory:80

vol_handles

›

Raw tool output · 4b2dc743c5e6d4ba4207391b9019a3290f419cfe

{"GrantedAccess": 983295, "HandleValue": 80, "Name": null, "Offset": 154518758812208, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:irtimer:84

vol_handles

›

Raw tool output · a36c6a3a723667268b52d7de7e5ea52500806407

{"GrantedAccess": 1048578, "HandleValue": 84, "Name": null, "Offset": 154518750242400, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:waitcompletionpacket:88

vol_handles

›

Raw tool output · ef946201a23a25fee45722283ee1f579e9e4e5de

{"GrantedAccess": 1, "HandleValue": 88, "Name": null, "Offset": 154518758774160, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:irtimer:92

vol_handles

›

Raw tool output · 163555ddc8e9ca120c8c4da08197000c7f687017

{"GrantedAccess": 1048578, "HandleValue": 92, "Name": null, "Offset": 154518732897200, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:waitcompletionpacket:96

vol_handles

›

Raw tool output · 1bf6b5b386d1aa40fb059364c1dd658c780db67b

{"GrantedAccess": 1, "HandleValue": 96, "Name": null, "Offset": 154518758812000, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:key:machine\system\controlset001\control\session manager

vol_handles

›

Raw tool output · f159df50ec1d9b1a3fca36257f5a18408a0d10cb

{"GrantedAccess": 1, "HandleValue": 100, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276731836288, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · ab19507216f24bd122e077e97cbd0d37c42aa985

{"GrantedAccess": 131097, "HandleValue": 104, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276744481616, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:108

vol_handles

›

Raw tool output · 55bc8aabf453a4602dccd72bd1790ea46f3b0952

{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518758176544, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:key:machine

vol_handles

›

Raw tool output · cfd07f9c76599c395c68d37b2bfaa19455385e9e

{"GrantedAccess": 131097, "HandleValue": 112, "Name": "MACHINE", "Offset": 229276744154640, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:file:\device\cng

vol_handles

›

Raw tool output · ee60d8772f05f799cb74c9f02c0e4b5ce9f1608e

{"GrantedAccess": 1048577, "HandleValue": 116, "Name": "\\Device\\CNG", "Offset": 154518758716688, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:key:machine\software\microsoft\ole

vol_handles

›

Raw tool output · a0cfd3b929ec14fcb4ed848c77e4c151ae683b2b

{"GrantedAccess": 131097, "HandleValue": 124, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\OLE", "Offset": 229276744773136, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:128

vol_handles

›

Raw tool output · cf28ce584e4a6d7dd847ea525e8b97696bc4e6db

{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518758201344, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:132

vol_handles

›

Raw tool output · 7077239fb197266a0edfdbdf25d7df22f4825592

{"GrantedAccess": 2052, "HandleValue": 132, "Name": null, "Offset": 154518750597008, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:136

vol_handles

›

Raw tool output · 1166f7213d977aa0a7a11fae2c5d7bea6cdefdd1

{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518758224960, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:140

vol_handles

›

Raw tool output · 824d35aae2dc62fa95539ea7fae130049baab63d

{"GrantedAccess": 2052, "HandleValue": 140, "Name": null, "Offset": 154518758858160, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:144

vol_handles

›

Raw tool output · 797425162da831cf78ac6e6935ff84474d3b2fb4

{"GrantedAccess": 2031619, "HandleValue": 144, "Name": null, "Offset": 154518758597408, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:148

vol_handles

›

Raw tool output · 652d120337c05bc9cc8397a7808c26e48ea3ba93

{"GrantedAccess": 2031619, "HandleValue": 148, "Name": null, "Offset": 154518758201216, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:152

vol_handles

›

Raw tool output · 2944b1158ca44b890dfb908983d5ffee39c3805a

{"GrantedAccess": 2031619, "HandleValue": 152, "Name": null, "Offset": 154518758597536, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:156

vol_handles

›

Raw tool output · f71fd164e8f3b88d57e4b474b58accf2d6b5bd7a

{"GrantedAccess": 2031619, "HandleValue": 156, "Name": null, "Offset": 154518758856224, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:160

vol_handles

›

Raw tool output · e520d82b0410e538d7e81ad2e72b5533a99806fe

{"GrantedAccess": 2031619, "HandleValue": 160, "Name": null, "Offset": 154518758856096, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:event:164

vol_handles

›

Raw tool output · 00a33b97a0fa30cc7e50ebc040e579a1c90933ee

{"GrantedAccess": 2031619, "HandleValue": 164, "Name": null, "Offset": 154518758200768, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:168

vol_handles

›

Raw tool output · 0f2621195c756559b86a59d0dc7866daffa4e1bf

{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518758793328, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:directory:basenamedobjects

vol_handles

›

Raw tool output · e23784c4b0338bebfb04e3faa201fe55a2d976a3

{"GrantedAccess": 15, "HandleValue": 172, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:176

vol_handles

›

Raw tool output · 10194e7ff243bc9379828065a029898709678474

{"GrantedAccess": 2052, "HandleValue": 176, "Name": null, "Offset": 154518758794064, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:180

vol_handles

›

Raw tool output · a58d958ed561934220f5b376234fa0f32b731b71

{"GrantedAccess": 2052, "HandleValue": 180, "Name": null, "Offset": 154518758793840, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:184

vol_handles

›

Raw tool output · 911e5498c9836c1ee158a3fdc94f9c1d1e61f772

{"GrantedAccess": 2052, "HandleValue": 184, "Name": null, "Offset": 154518758793616, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:188

vol_handles

›

Raw tool output · 9c49beb02a18f78ce5db98c96db5bec3f46e043a

{"GrantedAccess": 2052, "HandleValue": 188, "Name": null, "Offset": 154518758772848, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2876:etwregistration:192

vol_handles

›

Raw tool output · 7cd781d9bc300d7d2eb92f6c7499b76cb792f5bd

{"GrantedAccess": 2052, "HandleValue": 192, "Name": null, "Offset": 154518758773712, "PID": 2876, "Process": "WmiPrvSE.exe", "Type": "EtwRegistration", "TreeDepth": 0}

▣

process factpid:2876

vol_psscan

›

Raw tool output · fda7556e5f7ae9df2b483f98858223a4a0cd9f2b

{"CreateTime": "2018-08-30T13:52:26+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "WmiPrvSE.exe", "Offset(V)": 154518718150016, "PID": 2876, "PPID": 868, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:2876->pid:868

vol_psscanvol_pstree

›

Raw tool output · 9ec674d7663c65e93582baec418c4287f4e41e8c

{"CreateTime": "2018-08-30T13:52:26+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "WmiPrvSE.exe", "Offset(V)": 154518718150016, "PID": 2876, "PPID": 868, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:8712->pid:2876

vol_psscanvol_pstree

›

Raw tool output · 143b97d30a8c0f2c84da4a1e5b800e110fb471e1

{"CreateTime": "2018-08-30T16:43:36+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "powershell.exe", "Offset(V)": 154518771437696, "PID": 8712, "PPID": 2876, "SessionId": 0, "Threads": 11, "Wow64": false, "TreeDepth": 0}

Source tools

vol_privileges