โ
Case #392
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
informational
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '83447113-4630-47ae-8447-0b6615058c77', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 579281, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3476, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26010.5-0\\MsMpEng.exe', 'HASH': '73ebeae74752610c5c2c3e715c19701374e4e6f84fbb1def0625f7d1e9419442', 'MEMORY_USAGE': 314720256, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3476, 'THIS_ATOM': '06a0044e31c3b233ea37517869badbc7', 'THREADS': 36, 'TIMESTAMP': 1773853639789, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': '64b100b5-6ec6-4cda-9105-e79187470759', 'event_time': 1773854216216, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 363, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '06a0044e31c3b233ea37517869badbc7', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': 'b4b3df4ee4833dac001bc60869bade08'}}]
IOCs:
C:\Windows\system32\lsass.exe
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "83447113-4630-47ae-8447-0b6615058c77",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 579281,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3476,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26010.5-0\\MsMpEng.exe",
"HASH": "73ebeae74752610c5c2c3e715c19701374e4e6f84fbb1def0625f7d1e9419442",
"MEMORY_USAGE": 314720256,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3476,
"THIS_ATOM": "06a0044e31c3b233ea37517869badbc7",
"THREADS": 36,
"TIMESTAMP": 1773853639789,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "64b100b5-6ec6-4cda-9105-e79187470759",
"event_time": 1773854216216,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 363,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "b4b3df4ee4833dac001bc60869bade08"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "122a55df-4606-4ed6-beca-fc8af744a827",
"event_time": 1773854216498,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 81,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "7b9f62a542cbde75676d664d69bade08"
}
},
"detect_id": "f35c00a0-6572-41b6-a115-ce8a69bade08",
"gen_time": 1773854216579,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773854216\u0026selected=7b9f62a542cbde75676d664d69bade08",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "122a55df-4606-4ed6-beca-fc8af744a827",
"event_time": 1773854216498,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 81,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "06a0044e31c3b233ea37517869badbc7",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "7b9f62a542cbde75676d664d69bade08"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773854216000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system process behavior",
"investigation_questions": [
"Which source process attempted to access LSASS, and was it a known security or monitoring tool?"
],
"ioc_analysis": "The binary C:\\Windows\\system32\\lsass.exe and its parent C:\\Windows\\System32\\wininit.exe are both signed by Microsoft and located in their expected system paths. The hash bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f corresponds to a known legitimate version of the Local Security Authority Subsystem Service.",
"iocs_extracted": [
"C:\\Windows\\system32\\lsass.exe",
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelists the \u0027Sensitive Process Accessed\u0027 rule for the wininit.exe to lsass.exe relationship",
"No further investigation required"
],
"risk_score": 7,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on access to the LSASS process, which is a critical Windows security component. Analysis confirms lsass.exe is running from the correct System32 directory, was spawned by the legitimate wininit.exe parent process, and is a cryptographically signed Microsoft binary.\n\n**IOC Analysis:** The binary C:\\Windows\\system32\\lsass.exe and its parent C:\\Windows\\System32\\wininit.exe are both signed by Microsoft and located in their expected system paths. The hash bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f corresponds to a known legitimate version of the Local Security Authority Subsystem Service.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged lsass.exe access, but the process is running from its expected location in System32 with a valid Microsoft signature and parent chain originating from wininit.exe under SYSTEM context.\n\n**IOC Analysis:** lsass.exe at C:\\Windows\\system32\\lsass.exe is a legitimate Windows system binary. The file hash matches known Microsoft binaries, it is signed, and the process tree shows normal startup behavior via wininit.exe under NT AUTHORITY\\SYSTEM.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to lsass.exe, a legitimate Windows system process located in C:\\Windows\\system32, which is a known-good directory. The file is signed and spawned from wininit.exe, another legitimate system process, indicating this is likely a false positive for the \u0027Sensitive Process Accessed\u0027 rule.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\system32\\lsass.exe is a known Windows system binary, not associated with malware. FILE_IS_SIGNED: 1 confirms the file is signed, likely by Microsoft, making it trustworthy. The process is running with SYSTEM privileges and is part of normal Windows boot sequence, aligning with expected behavior.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 29 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 29 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ Timeline
2026-03-18T18:25:23
analyst
Status changed: triaging โ closed
2026-03-18T18:25:20
analyst
Analyst classified as False Positive (FP)
2026-03-18T18:15:52
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:15:52
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further investigation required **Sensor:** `e4a1c62d-4d1f-44...` **Time Windo...
2026-03-18T18:15:51
FusionSOC
Response action queued: recommended on No further investigation required
2026-03-18T18:15:51
FusionSOC
Action recommended โ executed: Process Tree Investigation: 29 events found
2026-03-18T18:15:51
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Whitelists the 'Sensitive Process Accessed' rule for the wininit.exe to lsas...
2026-03-18T18:15:50
FusionSOC
Response action queued: recommended on Whitelists the 'Sensitive Process Accessed' rule for the wininit.exe to lsass.exe relationship
2026-03-18T18:15:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:15:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:15:50
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:15:50
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:15:50
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:11:10
FusionSOC
Action recommended โ executed: Process Tree Investigation: 29 events found
2026-03-18T18:11:09
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the detection rule 'general.Sensitive Process Accessed' to filter out l...
2026-03-18T18:11:08
FusionSOC
Response action queued: recommended on Tune the detection rule 'general.Sensitive Process Accessed' to filter out legitimate wininit.exe spawning lsass.exe during boot.
2026-03-18T18:11:08
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:11:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a False Positive. **Sensor:** `e4a1c62d-4d1f-44...` **Time W...
2026-03-18T18:11:08
FusionSOC
Response action queued: recommended on Close this alert as a False Positive.
2026-03-18T18:11:08
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:11:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:11:08
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:11:08
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:11:08
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:11:08
FusionSOC AI
Detection f35c00a0-6572-41b6-a115-ce8a69bade08 triaged as false_positive (low severity, confidence: 95%)
2026-03-18T18:11:08
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed