โ
Case #388
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '1510be9a-858b-4745-9032-2f7f9792d1a9', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 1709772, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case', 'fusion-soc-alert'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': 'b71a9771-061b-4f09-9f05-ab7fcd7a0ab8', 'event_time': 1773855341194, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 5876, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case', 'fusion-soc-alert'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': '8e3645060e6b19e02def810869bae26e'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "1510be9a-858b-4745-9032-2f7f9792d1a9",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1709772,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "b71a9771-061b-4f09-9f05-ab7fcd7a0ab8",
"event_time": 1773855341194,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 5876,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "8e3645060e6b19e02def810869bae26e"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "3213f575-f3a8-490f-92f0-c98547028a93",
"event_time": 1773855342183,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 4887,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "27d77511768f6401fdf11f7e69bae26e"
}
},
"detect_id": "c0635d95-61fd-4ed6-8212-762b69bae273",
"gen_time": 1773855347132,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773855342\u0026selected=27d77511768f6401fdf11f7e69bae26e",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "3213f575-f3a8-490f-92f0-c98547028a93",
"event_time": 1773855342183,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 4887,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "27d77511768f6401fdf11f7e69bae26e"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773855347000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system process activity",
"investigation_questions": [
"Which process was the source of the access request (accessor)?",
"Were there any concurrent suspicious activities such as unusual network connections or file writes?"
],
"ioc_analysis": "The process C:\\Windows\\system32\\lsass.exe is a critical Windows system binary. It is digitally signed, located in its expected path, and was started by the correct system parent (wininit.exe). The hash provided is consistent with known-good Microsoft binaries.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required.",
"Monitor for any unauthorized processes attempting to obtain a handle to LSASS with high-privilege access masks."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection flagged access to the LSASS process, a common target for credential dumping. However, the event data describes the legitimate Windows LSASS process residing in the correct directory (System32), spawned by the expected wininit.exe parent process, and running under the SYSTEM account.\n\n**IOC Analysis:** The process C:\\Windows\\system32\\lsass.exe is a critical Windows system binary. It is digitally signed, located in its expected path, and was started by the correct system parent (wininit.exe). The hash provided is consistent with known-good Microsoft binaries.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 with a valid Microsoft signature.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the standard and expected path for this critical Windows system binary. The file hash matches known legitimate binaries, and it is signed by Microsoft. The parent process wininit.exe is also a legitimate system process running under NT AUTHORITY\\SYSTEM.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to lsass.exe, a legitimate Windows system process located in C:\\Windows\\System32. Given its signed status and expected directory, it is likely a false positive for this rule.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\system32\\lsass.exe, which is a known legitimate system binary. The hash matches a Microsoft-signed version, and it is running from the expected directory, confirming it is benign. The parent process is wininit.exe, another legitimate system binary.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (informational, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 5 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 5 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ Timeline
2026-03-18T18:26:06
analyst
Status changed: triaging โ closed
2026-03-18T18:26:00
analyst
Analyst classified as False Positive (FP)
2026-03-18T18:18:50
FusionSOC
Action recommended โ executed: Process Tree Investigation: 5 events found
2026-03-18T18:18:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for any unauthorized processes attempting to obtain a handle to LSAS...
2026-03-18T18:18:49
FusionSOC
Response action queued: recommended on Monitor for any unauthorized processes attempting to obtain a handle to LSASS with high-privilege access masks.
2026-03-18T18:18:49
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:18:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. **Sensor:** `e4a1c62d-4d1f-44...` **Time Window:** +/- 2 min...
2026-03-18T18:18:49
FusionSOC
Response action queued: recommended on No action required.
2026-03-18T18:18:49
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:18:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:18:48
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:18:48
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:18:48
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:08:03
FusionSOC
Action recommended โ executed: Process Tree Investigation: 5 events found
2026-03-18T18:08:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Review detection rule logic to exclude standard system process relationships...
2026-03-18T18:08:02
FusionSOC
Response action queued: recommended on Review detection rule logic to exclude standard system process relationships between wininit.exe and lsass.exe.
2026-03-18T18:08:01
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:08:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a False Positive. **Sensor:** `e4a1c62d-4d1f-44...` **Time W...
2026-03-18T18:08:01
FusionSOC
Response action queued: recommended on Close this alert as a False Positive.
2026-03-18T18:08:01
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:08:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:08:01
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:08:01
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:08:01
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:08:01
FusionSOC AI
Detection c0635d95-61fd-4ed6-8212-762b69bae273 triaged as false_positive (informational severity, confidence: 95%)
2026-03-18T18:08:01
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed