High-risk tools in Procmon

High severity Procmon MCP Server 4 of 18 tools

4 of the 18 tools in Procmon are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.

Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.

Tools at high risk

request_elevation Execute

Launch a cmd script via UAC (Start-Process -Verb RunAs) to run the given command.
start_etw_trace Execute

Start a kernel ETW trace via logman (requires elevation).
stop_etw_trace Execute

Stop ETW trace, run tracerpt to CSV and summary, return parsed preview (requires elevation).
timed_capture Execute

Repeated snapshots over a duration with optional shell trigger command launched at start.

Attacks that target this class

High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.

High-risk tools in Procmon

Tools at high risk

Attacks that target this class

More on Procmon

Enforce policy on every Procmon tool call.