โ
Case #390
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': 'ef47fa07-4144-4b1a-8326-3261faab6e7f', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 668396, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 4112, 'PARENT_PROCESS_ID': 3476, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26010.5-0\\MsMpEng.exe', 'HASH': '73ebeae74752610c5c2c3e715c19701374e4e6f84fbb1def0625f7d1e9419442', 'MEMORY_USAGE': 314720256, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3476, 'THIS_ATOM': '06a0044e31c3b233ea37517869badbc7', 'THREADS': 36, 'TIMESTAMP': 1773853639789, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': '26307d1a-b43a-461a-8298-8a0721279f04', 'event_time': 1773854271311, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 34383, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '06a0044e31c3b233ea37517869badbc7', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': '3b373dacd0b7a744afe7aab469bade3f'}}]
IOCs:
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
C:\Windows\system32\lsass.exe
MITRE:
T1003.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "ef47fa07-4144-4b1a-8326-3261faab6e7f",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 668396,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 4112,
"PARENT_PROCESS_ID": 3476,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26010.5-0\\MsMpEng.exe",
"HASH": "73ebeae74752610c5c2c3e715c19701374e4e6f84fbb1def0625f7d1e9419442",
"MEMORY_USAGE": 314720256,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3476,
"THIS_ATOM": "06a0044e31c3b233ea37517869badbc7",
"THREADS": 36,
"TIMESTAMP": 1773853639789,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "26307d1a-b43a-461a-8298-8a0721279f04",
"event_time": 1773854271311,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 34383,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "3b373dacd0b7a744afe7aab469bade3f"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "bb5ced36-a5cb-4ac8-980e-8702f8556896",
"event_time": 1773854271862,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 33832,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "051b383381233ea6ea44d06269bade3f"
}
},
"detect_id": "bc2ceb10-ceae-4f2c-bb2f-578c69bade61",
"gen_time": 1773854305731,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773854271\u0026selected=051b383381233ea6ea44d06269bade3f",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "bb5ced36-a5cb-4ac8-980e-8702f8556896",
"event_time": 1773854271862,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 33832,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "051b383381233ea6ea44d06269bade3f"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773854308000
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate system process behavior",
"investigation_questions": [
"What process initiated the access to LSASS?"
],
"ioc_analysis": "The file C:\\Windows\\system32\\lsass.exe with hash bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f is a known legitimate Windows binary. Its parent wininit.exe is also the expected and legitimate parent process for LSASS.",
"iocs_extracted": [
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"C:\\Windows\\system32\\lsass.exe"
],
"mitre_techniques": [
"T1003.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required; mark as False Positive.",
"Consider tuning the rule to exclude legitimate system-level access to LSASS by signed Windows binaries."
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged access to the LSASS process, but the event data describes a legitimate instance of lsass.exe running from the correct System32 directory, signed by Microsoft, and spawned by wininit.exe. This is standard Windows boot and operational behavior.\n\n**IOC Analysis:** The file C:\\Windows\\system32\\lsass.exe with hash bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f is a known legitimate Windows binary. Its parent wininit.exe is also the expected and legitimate parent process for LSASS.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 with a valid Microsoft signature.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the canonical path for this critical Windows component. The file hash matches known Microsoft binaries and the process is signed. It is running under NT AUTHORITY\\SYSTEM with wininit.exe as parent, which is normal boot behavior.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to lsass.exe, a legitimate Windows system binary located in C:\\Windows\\system32, which is expected and signed, indicating a false positive.\n\n**IOC Analysis:** The FILE_PATH is in C:\\Windows\\system32\\, a known-good location for system binaries. The FILE_IS_SIGNED field confirms it is a Microsoft-signed binary, and the hash matches a legitimate lsass.exe. These factors align with IOC validation rules for benign behavior.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 29 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T18:17
๐ค FusionSOC AI
2026-03-18T18:17
๐ค FusionSOC AI
2026-03-18T18:17
๐ค FusionSOC AI
2026-03-18T18:09
๐ค FusionSOC AI
2026-03-18T18:09
๐ค FusionSOC AI
2026-03-18T18:09
๐ค FusionSOC AI
2026-03-18T18:09
๐ Timeline
2026-03-18T18:26:06
analyst
Status changed: triaging โ closed
2026-03-18T18:26:00
analyst
Analyst classified as False Positive (FP)
2026-03-18T18:17:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:17:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider tuning the rule to exclude legitimate system-level access to LSASS by s...
2026-03-18T18:17:13
FusionSOC
Response action queued: recommended on Consider tuning the rule to exclude legitimate system-level access to LSASS by signed Windows binaries.
2026-03-18T18:17:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:17:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required; mark as False Positive. **Sensor:** `e4a1c62d-4d1f-44...` **...
2026-03-18T18:17:13
FusionSOC
Response action queued: recommended on No action required; mark as False Positive.
2026-03-18T18:17:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:17:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:17:13
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:17:13
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:17:13
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:09:37
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:09:37
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a False Positive **Sensor:** `e4a1c62d-4d1f-44...` **Time Wi...
2026-03-18T18:09:36
FusionSOC
Response action queued: recommended on Close this alert as a False Positive
2026-03-18T18:09:36
FusionSOC
Action recommended โ executed: Process Tree Investigation: 29 events found
2026-03-18T18:09:36
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Whitelist legitimate system process initialization for the 'Sensitive Proces...
2026-03-18T18:09:35
FusionSOC
Response action queued: recommended on Whitelist legitimate system process initialization for the 'Sensitive Process Accessed' rule to reduce noise
2026-03-18T18:09:35
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:09:35
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:09:35
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:09:35
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:09:35
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:09:35
FusionSOC AI
Detection bc2ceb10-ceae-4f2c-bb2f-578c69bade61 triaged as false_positive (informational severity, confidence: 95%)
2026-03-18T18:09:35
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed