โ
Case #384
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
informational
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': 'dc0b9fa6-cc9c-4ddc-8986-2f0e457996c7', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 875368, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': '83cc438e-fba7-4ab2-b7c9-70f1cdf37f45', 'event_time': 1773854511335, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 1331, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': '09d159ff72046869c0ec7dab69badf2f'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
C:\Windows\System32\wininit.exe
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "dc0b9fa6-cc9c-4ddc-8986-2f0e457996c7",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 875368,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "83cc438e-fba7-4ab2-b7c9-70f1cdf37f45",
"event_time": 1773854511335,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1331,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "09d159ff72046869c0ec7dab69badf2f"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "723bcee7-f9b9-4d9d-8b52-ad0add0b15ae",
"event_time": 1773854511795,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 871,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "82278437014686afdee3e1e569badf2f"
}
},
"detect_id": "1cd0841b-e322-406b-8514-00d269badf30",
"gen_time": 1773854512819,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773854511\u0026selected=82278437014686afdee3e1e569badf2f",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "723bcee7-f9b9-4d9d-8b52-ad0add0b15ae",
"event_time": 1773854511795,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 871,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "82278437014686afdee3e1e569badf2f"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773854515000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system process behavior (wininit.exe spawning lsass.exe)",
"investigation_questions": [],
"ioc_analysis": "The file C:\\Windows\\system32\\lsass.exe (SHA256: bbc83e4...) is a known-good Windows system binary. Its parent process, wininit.exe, is the standard launcher for lsass.exe during the Windows boot sequence. Both files are reported as signed.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"C:\\Windows\\System32\\wininit.exe",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required.",
"Tune the detection rule to exclude legitimate wininit.exe to lsass.exe process relationships."
],
"risk_score": 5,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on a sensitive process access involving lsass.exe. Analysis confirms that lsass.exe is a legitimate, signed Microsoft binary running from its standard directory (System32) and was spawned by its expected parent process, wininit.exe.\n\n**IOC Analysis:** The file C:\\Windows\\system32\\lsass.exe (SHA256: bbc83e4...) is a known-good Windows system binary. Its parent process, wininit.exe, is the standard launcher for lsass.exe during the Windows boot sequence. Both files are reported as signed.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 and is signed by Microsoft.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the known-good location for this critical Windows system binary. The file hash matches the official Microsoft signature, and FILE_IS_SIGNED indicates it is a legitimate signed binary. The parent process wininit.exe is also a known Windows initialization process running under SYSTEM context.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to the legitimate Windows system process lsass.exe, which is part of normal system operations and is signed. Given the historical feedback indicating false positives for this rule, this event is likely benign and not malicious.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System, which is a known legitimate system binary location. The specific file lsass.exe is a critical Windows system process located in System32, and it is signed (FILE_IS_SIGNED=1). The parent process wininit.exe is also a legitimate system binary. No malicious indicators are present, confirming the benign nature.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-18T17:31
๐ค FusionSOC AI
2026-03-18T17:31
๐ค FusionSOC AI
2026-03-18T17:31
๐ค FusionSOC AI
2026-03-18T17:31
๐ Timeline
2026-03-18T18:26:06
analyst
Status changed: triaging โ closed
2026-03-18T18:26:00
analyst
Analyst classified as False Positive (FP)
2026-03-18T17:31:23
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-18T17:31:23
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the detection rule to exclude legitimate wininit.exe to lsass.exe proce...
2026-03-18T17:31:23
FusionSOC
Response action queued: recommended on Tune the detection rule to exclude legitimate wininit.exe to lsass.exe process relationships.
2026-03-18T17:31:23
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:31:23
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. **Sensor:** `e4a1c62d-4d1f-44...` **Time Window:** +/- 2 min...
2026-03-18T17:31:22
FusionSOC
Response action queued: recommended on No action required.
2026-03-18T17:31:22
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:31:22
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T17:31:22
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T17:31:22
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:31:22
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:31:22
FusionSOC AI
Detection 1cd0841b-e322-406b-8514-00d269badf30 triaged as false_positive (informational severity, confidence: 95%)
2026-03-18T17:31:22
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed