โ
Case #389
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 94% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '44b1edd3-99aa-4050-bdb1-1da968655972', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 1571256, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case', 'fusion-soc-alert'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': 'a371bcb5-1834-43cb-ab50-8d1cfeaf49d0', 'event_time': 1773855208227, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 327, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case', 'fusion-soc-alert'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': '557430f92e988b2146c1535869bae1e8'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "44b1edd3-99aa-4050-bdb1-1da968655972",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1571256,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "a371bcb5-1834-43cb-ab50-8d1cfeaf49d0",
"event_time": 1773855208227,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 327,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "557430f92e988b2146c1535869bae1e8"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "2a0ab78a-c7d2-4a11-b4bf-f2507f57fd78",
"event_time": 1773855208457,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 97,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "1d3eef95cbb6b7a2f33d5c3769bae1e8"
}
},
"detect_id": "fef8c14f-65b7-4c10-b1b3-ec7369bae1e8",
"gen_time": 1773855208554,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773855208\u0026selected=1d3eef95cbb6b7a2f33d5c3769bae1e8",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "2a0ab78a-c7d2-4a11-b4bf-f2507f57fd78",
"event_time": 1773855208457,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 97,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case",
"fusion-soc-alert"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "1d3eef95cbb6b7a2f33d5c3769bae1e8"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773855208000
}
๐ค Triage JSON
{
"confidence": 0.943,
"false_positive_reason": "Legitimate system process initialization or security software scanning.",
"investigation_questions": [
"Which process initiated the handle request to LSASS?",
"Are there any other suspicious events occurring on this host around the same timestamp?"
],
"ioc_analysis": "The file path C:\\Windows\\system32\\lsass.exe is the standard location for the Local Security Authority Subsystem Service. The hash bbc83e47... corresponds to a known-good Microsoft-signed binary, and its parent wininit.exe is also a legitimate system component.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close the alert as a false positive.",
"Whitelisting legitimate system accessors (e.g., antivirus or management agents) to reduce noise."
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection identifies access to the sensitive LSASS process. However, the telemetry shows lsass.exe running from its legitimate system path, correctly signed by Microsoft, and spawned by its standard parent process, wininit.exe. Historical analyst feedback for this rule consistently indicates a high false positive rate.\n\n**IOC Analysis:** The file path C:\\Windows\\system32\\lsass.exe is the standard location for the Local Security Authority Subsystem Service. The hash bbc83e47... corresponds to a known-good Microsoft-signed binary, and its parent wininit.exe is also a legitimate system component.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 with a valid Microsoft signature.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the standard path for this critical Windows component. The file hash matches known Microsoft binaries and the process is signed. It was spawned by wininit.exe (also legitimate) under SYSTEM privileges, which is normal boot behavior.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to a legitimate Windows system binary, lsass.exe, which is commonly executed by system processes under the NT AUTHORITY\\SYSTEM account. This is a standard system process and not indicative of malicious activity.\n\n**IOC Analysis:** The FILE_PATH \u0027C:\\Windows\\system32\\lsass.exe\u0027 is located in a known-good Windows system directory, and the FILE_IS_SIGNED field indicates it is a Microsoft-signed binary. The process is spawned by wininit.exe, another legitimate system process, confirming benign behavior.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 98% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (informational, 90% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 3 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:18
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ค FusionSOC AI
2026-03-18T18:08
๐ Timeline
2026-03-18T18:26:06
analyst
Status changed: triaging โ closed
2026-03-18T18:26:00
analyst
Analyst classified as False Positive (FP)
2026-03-18T18:18:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:18:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelisting legitimate system accessors (e.g., antivirus or management agents) ...
2026-03-18T18:18:07
FusionSOC
Response action queued: recommended on Whitelisting legitimate system accessors (e.g., antivirus or management agents) to reduce noise.
2026-03-18T18:18:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:18:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the alert as a false positive. **Sensor:** `e4a1c62d-4d1f-44...` **Time Wi...
2026-03-18T18:18:07
FusionSOC
Response action queued: recommended on Close the alert as a false positive.
2026-03-18T18:18:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:18:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:18:07
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:18:07
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:18:07
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:08:50
FusionSOC
Action recommended โ executed: Process Tree Investigation: 3 events found
2026-03-18T18:08:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify if the detection rule 'general.Sensitive Process Accessed' can be tun...
2026-03-18T18:08:49
FusionSOC
Response action queued: recommended on Verify if the detection rule 'general.Sensitive Process Accessed' can be tuned to exclude standard system initialization sequences
2026-03-18T18:08:49
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:08:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close as False Positive **Sensor:** `e4a1c62d-4d1f-44...` **Time Window:** +/- 2...
2026-03-18T18:08:49
FusionSOC
Response action queued: recommended on Close as False Positive
2026-03-18T18:08:49
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:08:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:08:49
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:08:49
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:08:49
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:08:48
FusionSOC AI
Detection fef8c14f-65b7-4c10-b1b3-ec7369bae1e8 triaged as false_positive (low severity, confidence: 94%)
2026-03-18T18:08:48
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed