โ
Case #376
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': 'b954cbe1-c94b-4790-8153-6a78f1bd6168', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 132670, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': 'c017c06c-8bee-4977-9a44-f08f1e509a52', 'event_time': 1773853769887, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 81, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': '337542a34bba27b72c73de9e69badc49'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "b954cbe1-c94b-4790-8153-6a78f1bd6168",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 132670,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c017c06c-8bee-4977-9a44-f08f1e509a52",
"event_time": 1773853769887,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 81,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "337542a34bba27b72c73de9e69badc49"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "5f59e7e6-1445-4c07-a2ad-2485f42fad9f",
"event_time": 1773853769903,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 65,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "695d1510a93d593f53a13be969badc49"
}
},
"detect_id": "d534025c-5e62-4b14-8097-9c1a69badc49",
"gen_time": 1773853769968,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773853769\u0026selected=695d1510a93d593f53a13be969badc49",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "5f59e7e6-1445-4c07-a2ad-2485f42fad9f",
"event_time": 1773853769903,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 65,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "695d1510a93d593f53a13be969badc49"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773853770000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system process running in expected context",
"investigation_questions": [
"Does the rule logic distinguish between process creation and cross-process handle/memory access?"
],
"ioc_analysis": "lsass.exe is located in C:\\Windows\\System32\\ and is a signed Microsoft binary. Its parent, wininit.exe, is also a signed system binary located in the correct directory. The hash provided corresponds to a legitimate version of the Microsoft LSASS executable.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Tune the \u0027Sensitive Process Accessed\u0027 rule to exclude legitimate system startup sequences where wininit.exe spawns lsass.exe.",
"Verify if the rule was intended to detect memory access to LSASS rather than the process execution itself."
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on lsass.exe (Local Security Authority Subsystem Service) running from its legitimate system directory. The process was spawned by wininit.exe under the SYSTEM account, which is the expected and standard behavior for Windows initialization.\n\n**IOC Analysis:** lsass.exe is located in C:\\Windows\\System32\\ and is a signed Microsoft binary. Its parent, wininit.exe, is also a signed system binary located in the correct directory. The hash provided corresponds to a legitimate version of the Microsoft LSASS executable.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 and is signed by Microsoft.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the known-good location for this critical Windows system binary. The file hash matches the official Microsoft signature, and FILE_IS_SIGNED is true. The parent process wininit.exe is also a legitimate system process running under NT AUTHORITY\\SYSTEM.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a system process lsass.exe, which is a legitimate Windows binary located in the expected System32 directory and is signed. Given the benign nature of system processes and historical analyst feedback indicating false positives for this rule, this event is classified as a false positive.\n\n**IOC Analysis:** The FILE_PATH \u0027C:\\Windows\\System32\\lsass.exe\u0027 is a known system binary location for LSASS, a critical Windows process. The FILE_IS_SIGNED value of 1 indicates it is a Microsoft-signed binary, and it is running with SYSTEM privileges, which is typical for legitimate system operations. The HASH provided matches a known Microsoft-signed version of lsass.exe, confirming its legitimacy.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T17:22
๐ค FusionSOC AI
2026-03-18T17:22
๐ค FusionSOC AI
2026-03-18T17:22
๐ค FusionSOC AI
2026-03-18T17:11
๐ค FusionSOC AI
2026-03-18T17:11
๐ค FusionSOC AI
2026-03-18T17:11
๐ค FusionSOC AI
2026-03-18T17:11
๐ Timeline
2026-03-18T17:22:13
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-18T17:22:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify if the rule was intended to detect memory access to LSASS rather than...
2026-03-18T17:22:12
FusionSOC
Response action queued: recommended on Verify if the rule was intended to detect memory access to LSASS rather than the process execution itself.
2026-03-18T17:22:12
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-18T17:22:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the 'Sensitive Process Accessed' rule to exclude legitimate system star...
2026-03-18T17:22:12
FusionSOC
Response action queued: recommended on Tune the 'Sensitive Process Accessed' rule to exclude legitimate system startup sequences where wininit.exe spawns lsass.exe.
2026-03-18T17:22:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:22:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T17:22:12
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T17:22:12
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:22:12
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:19:58
analyst
Status changed: triaging โ closed
2026-03-18T17:19:52
analyst
Analyst classified as False Positive (FP)
2026-03-18T17:11:10
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-18T17:11:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the rule to exclude LSASS access from wininit.exe or other c...
2026-03-18T17:11:10
FusionSOC
Response action queued: recommended on Consider tuning the rule to exclude LSASS access from wininit.exe or other core system processes.
2026-03-18T17:11:10
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:11:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required; this is legitimate Windows boot and system management activi...
2026-03-18T17:11:10
FusionSOC
Response action queued: recommended on No action required; this is legitimate Windows boot and system management activity.
2026-03-18T17:11:10
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:11:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T17:11:09
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T17:11:09
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:11:09
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:11:09
FusionSOC AI
Detection d534025c-5e62-4b14-8097-9c1a69badc49 triaged as false_positive (low severity, confidence: 97%)
2026-03-18T17:11:09
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed