F034Suspiciousvalidator: blocked
Conhost.exe with SeImpersonate and SeDebug privileges (TA0004: Privilege Escalation)
conhost.exe
Analyst narrative
conhost.exe (console host process) holds enabled SeImpersonate and SeDebug privileges. This is abnormal as console host should not require privilege escalation capabilities, suggesting privilege inheritance from elevated parent or injection.
Claims asserted
pid-
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_privileges