F032LOWInconclusivevalidator: passed
SafeBoot AlternateShell registry persistence
SafeBoot AlternateShell persistence value
Analyst narrative
candidate cand-0099/cand-0100: AlternateShell value under SafeBoot in ControlSet001/002, a potential persistence/recovery-mode backdoor mechanism. fact_ids=registry_persistence_fact-0001592, registry_persistence_fact-0003188
Claims asserted
pathhklm/system/controlset001/control/safeboot/alternateshell
Proof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
⌘registry persistence factreg:hklm/system/controlset001/control/safebootparse_registry_persistence›
registry persistence fact
reg:hklm/system/controlset001/control/safebootparse_registry_persistence
Raw tool output · 30b2ab7f41f054569b7ea21f9a1c37916940a363
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM", "hive_type": "SYSTEM", "registry_path": "HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot", "value_name": "AlternateShell", "value_data": "cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "safeboot", "control_set": "ControlSet001", "is_active_controlset": true, "user_profile": null, "last_write_time": "2013-08-22T14:48:12.482893+00:00", "evidence_type": "registry_persistence", "raw_excerpt": "{\"registry_path\": \"HKLM\\\