F033Suspiciousvalidator: blocked
rundll32.exe with sensitive privilege escalation flags (TA0004: Privilege Escalation)
rundll32.exe
Analyst narrative
rundll32.exe processes hold enabled SeBackup, SeRestore, SeLoadDriver, SeImpersonate, and SeDebug privileges. rundll32 with these privilege combinations is a signature of privilege escalation and token impersonation attacks.
Claims asserted
pid-
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_privileges