โ
Case #385
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
high
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 96% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': 'b0e4f956-4bcc-47a4-a01c-0f1742dfc2f2', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 875816, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 1052689, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': '1c81529f-6772-4fe5-911c-df5b15b3224e', 'event_time': 1773854512779, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 335, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': 'e292ebe1a87f87ff044e17ef69badf30'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
C:\Windows\System32\wininit.exe
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "b0e4f956-4bcc-47a4-a01c-0f1742dfc2f2",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 875816,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 1052689,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "1c81529f-6772-4fe5-911c-df5b15b3224e",
"event_time": 1773854512779,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 335,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "e292ebe1a87f87ff044e17ef69badf30"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "53313ce6-d4bc-4e3b-aa2a-ed46325faadd",
"event_time": 1773854512810,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 304,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "cbe90c97c860344b24efd21a69badf30"
}
},
"detect_id": "223b1948-cf85-4a4a-959a-451569badf31",
"gen_time": 1773854513259,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773854512\u0026selected=cbe90c97c860344b24efd21a69badf30",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "53313ce6-d4bc-4e3b-aa2a-ed46325faadd",
"event_time": 1773854512810,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 304,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "cbe90c97c860344b24efd21a69badf30"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773854515000
}
๐ค Triage JSON
{
"confidence": 0.96,
"false_positive_reason": "Legitimate system process behavior",
"investigation_questions": [
"Is there any evidence of unauthorized memory reading tools (e.g., Mimikatz) being executed on the host?"
],
"ioc_analysis": "The process C:\\Windows\\system32\\lsass.exe is a known Windows system binary. Both lsass.exe and its parent wininit.exe are located in the correct System32 directory and are reported as signed, indicating they are legitimate Microsoft binaries.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"C:\\Windows\\System32\\wininit.exe",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"No action required.",
"Consider tuning the rule to exclude baseline system process interactions with lsass.exe."
],
"risk_score": 8,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection triggered on a sensitive process access event involving lsass.exe. Analysis confirms that lsass.exe is running from its legitimate system directory, is properly signed, and was spawned by wininit.exe, which is the expected behavior for a Windows system boot.\n\n**IOC Analysis:** The process C:\\Windows\\system32\\lsass.exe is a known Windows system binary. Both lsass.exe and its parent wininit.exe are located in the correct System32 directory and are reported as signed, indicating they are legitimate Microsoft binaries.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged lsass.exe access, but the process is a known Microsoft-signed system binary running from its expected location in System32 under SYSTEM user context. Historical analyst feedback consistently marks similar events as false positives.\n\n**IOC Analysis:** lsass.exe is a legitimate Windows system process responsible for security authentication and Kerberos services. The file path matches the expected location (C:\\Windows\\system32\\), the binary is signed, and it is running under NT AUTHORITY\\SYSTEM with wininit.exe as parent, which is normal boot behavior.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** benign | **Confidence:** 0.95\nThe detection event involves access to lsass.exe, a legitimate Windows system binary located in C:\\Windows\\System32. It is signed and part of normal system operations, indicating no malicious activity.\n\n**IOC Analysis:** The FILE_PATH is a known legitimate Windows binary in the expected directory (C:\\Windows\\System32). The hash matches a Microsoft-signed binary, and the process is running with SYSTEM privileges, which is typical for system binaries. The parent process, wininit.exe, is also a legitimate system binary, confirming the context is benign.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 98% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: benign (informational, 95% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "deepseek-r1:8b",
"verdict": "benign"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-18T17:32
๐ค FusionSOC AI
2026-03-18T17:32
๐ค FusionSOC AI
2026-03-18T17:32
๐ค FusionSOC AI
2026-03-18T17:32
๐ Timeline
2026-03-18T18:26:06
analyst
Status changed: triaging โ closed
2026-03-18T18:26:00
analyst
Analyst classified as False Positive (FP)
2026-03-18T17:32:01
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-18T17:32:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the rule to exclude baseline system process interactions wit...
2026-03-18T17:32:00
FusionSOC
Response action queued: recommended on Consider tuning the rule to exclude baseline system process interactions with lsass.exe.
2026-03-18T17:32:00
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:32:00
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. **Sensor:** `e4a1c62d-4d1f-44...` **Time Window:** +/- 2 min...
2026-03-18T17:32:00
FusionSOC
Response action queued: recommended on No action required.
2026-03-18T17:32:00
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:32:00
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (majority) **Sensor:** `e4a1c62d-4d1f...
2026-03-18T17:32:00
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (majority)
2026-03-18T17:32:00
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:32:00
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:32:00
FusionSOC AI
Detection 223b1948-cf85-4a4a-959a-451569badf31 triaged as false_positive (high severity, confidence: 96%)
2026-03-18T17:32:00
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed