โ
Case #393
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe', 'HASH': '13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649', 'MEMORY_USAGE': 6987776, 'PARENT_PROCESS_ID': 420, 'PROCESS_ID': 536, 'THIS_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'THREADS': 5, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THREADS': 46, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '7daca29b-6ace-49e6-900c-4f98a3b3aa62', 'event_time': 1773853637298, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 300043, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': '5aac4ac94a5899870505a72a69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'this': '990b174edf869fdf7e114b4269badbc5'}}, {'event': {'ACCESS_FLAGS': 5136, 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 632, 'SOURCE': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe', 'HASH': '4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1', 'MEMORY_USAGE': 65019904, 'PARENT_ATOM': '5121f09ae4602c114b78252569badbc5', 'PARENT_PROCESS_ID': 608, 'PROCESS_ID': 3324, 'THIS_ATOM': 'fc5d0530662c070c4e8dbb9b69badbc5', 'THREADS': 101, 'TIMESTAMP': 1773853637475, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140695720558592, 'COMMAND_LINE': 'C:\\Windows\\system32\\lsass.exe', 'CREATION_TIME': 1773849971454, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\lsass.exe', 'HASH': 'bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f', 'MEMORY_USAGE': 75264000, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 632, 'THIS_ATOM': '990b174edf869fdf7e114b4269badbc5', 'THREADS': 46, 'TIMESTAMP': 1773853637298, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': 'da39684d-e464-46f2-a14d-334a66dbe85a', 'event_time': 1773853936889, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '67.60.122.240', 'hostname': 'df-labsdc01.dflabs.local', 'iid': '47501359-645e-4049-906e-e6195da7afcf', 'int_ip': '192.168.45.129', 'latency': 452, 'moduleid': 2, 'oid': 'ad19afae-3759-4207-b06e-8648b225c455', 'parent': 'fc5d0530662c070c4e8dbb9b69badbc5', 'plat': 268435456, 'sid': 'e4a1c62d-4d1f-4472-bae4-43291246b4d4', 'tags': ['domain-controller', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusion-soc-case'], 'target': '990b174edf869fdf7e114b4269badbc5', 'this': 'df86184c6a9429f17fbaf26569badcf1'}}]
IOCs:
bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f
C:\Windows\system32\lsass.exe
13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649
MITRE:
T1003.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649",
"MEMORY_USAGE": 6987776,
"PARENT_PROCESS_ID": 420,
"PROCESS_ID": 536,
"THIS_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"THREADS": 5,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THREADS": 46,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "7daca29b-6ace-49e6-900c-4f98a3b3aa62",
"event_time": 1773853637298,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 300043,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5aac4ac94a5899870505a72a69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"this": "990b174edf869fdf7e114b4269badbc5"
}
},
{
"event": {
"ACCESS_FLAGS": 5136,
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 632,
"SOURCE": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
"HASH": "4d4f913d46f799582eac75707424f84ce7107e96cac55ddd454f4e554fdd24b1",
"MEMORY_USAGE": 65019904,
"PARENT_ATOM": "5121f09ae4602c114b78252569badbc5",
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 3324,
"THIS_ATOM": "fc5d0530662c070c4e8dbb9b69badbc5",
"THREADS": 101,
"TIMESTAMP": 1773853637475,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140695720558592,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1773849971454,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"MEMORY_USAGE": 75264000,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 632,
"THIS_ATOM": "990b174edf869fdf7e114b4269badbc5",
"THREADS": 46,
"TIMESTAMP": 1773853637298,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "da39684d-e464-46f2-a14d-334a66dbe85a",
"event_time": 1773853936889,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 452,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "df86184c6a9429f17fbaf26569badcf1"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "d4b1cf17-3cb1-41cd-b453-cfefa1359775",
"event_time": 1773853937290,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 51,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "4103bfe22dac8bce57f33b3469badcf1"
}
},
"detect_id": "29251b55-ab3d-4e24-ae97-b4b169badcf1",
"gen_time": 1773853937341,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773853937\u0026selected=4103bfe22dac8bce57f33b3469badcf1",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "d4b1cf17-3cb1-41cd-b453-cfefa1359775",
"event_time": 1773853937290,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 51,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "fc5d0530662c070c4e8dbb9b69badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusion-soc-case"
],
"target": "990b174edf869fdf7e114b4269badbc5",
"this": "4103bfe22dac8bce57f33b3469badcf1"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773853937000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Expected Windows system process behavior",
"investigation_questions": [
"What specific process or thread requested access to the LSASS memory space?",
"Is this a recurring event triggered by a local security agent or monitoring tool?"
],
"ioc_analysis": "The file path \u0027C:\\Windows\\system32\\lsass.exe\u0027 is correct for this binary. Both the process and its parent (wininit.exe) are signed and running from the expected system directories. The hash values are consistent with legitimate Windows binaries.",
"iocs_extracted": [
"bbc83e4759d4b82bad31e371ad679aa414c72273bf97cee5aed8337ed8a4d79f",
"C:\\Windows\\system32\\lsass.exe",
"13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649"
],
"mitre_techniques": [
"T1003.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Tune the detection rule to exclude legitimate system-to-system process access.",
"Verify the initiating process of the \u0027SENSITIVE_PROCESS_ACCESS\u0027 if not provided in this context."
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection flagged access to the \u0027lsass.exe\u0027 process, which is a sensitive system component. However, the event details describe a legitimate, Microsoft-signed lsass.exe process running from its standard location (System32), spawned by the expected \u0027wininit.exe\u0027 parent process under the \u0027SYSTEM\u0027 account.\n\n**IOC Analysis:** The file path \u0027C:\\Windows\\system32\\lsass.exe\u0027 is correct for this binary. Both the process and its parent (wininit.exe) are signed and running from the expected system directories. The hash values are consistent with legitimate Windows binaries.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because lsass.exe is a legitimate Windows system binary running from its expected location in System32 and is signed by Microsoft.\n\n**IOC Analysis:** The process lsass.exe is located at C:\\Windows\\system32\\lsass.exe, which is the standard location for this critical Windows system process. The file hash matches the known good hash for lsass.exe, and FILE_IS_SIGNED indicates it is digitally signed by Microsoft.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves access to lsass.exe, a legitimate Windows system binary located in C:\\Windows\\System32. It is signed and part of normal system operation, indicating a likely false positive based on historical analyst feedback.\n\n**IOC Analysis:** The FILE_PATH is in a known-good system directory (C:\\Windows\\System32) and the FILE_IS_SIGNED flag is set, confirming it\u0027s a legitimate Microsoft binary. The parent process (wininit.exe) is also legitimate and running from its expected location.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 13 events found | ||
| recommended | executed | Process Tree Investigation: 13 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:15
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ค FusionSOC AI
2026-03-18T18:11
๐ Timeline
2026-03-18T18:24:56
analyst
Status changed: triaging โ closed
2026-03-18T18:24:54
analyst
Analyst classified as False Positive (FP)
2026-03-18T18:15:12
FusionSOC
Action recommended โ executed: Process Tree Investigation: 13 events found
2026-03-18T18:15:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify the initiating process of the 'SENSITIVE_PROCESS_ACCESS' if not provi...
2026-03-18T18:15:12
FusionSOC
Response action queued: recommended on Verify the initiating process of the 'SENSITIVE_PROCESS_ACCESS' if not provided in this context.
2026-03-18T18:15:12
FusionSOC
Action recommended โ executed: Process Tree Investigation: 13 events found
2026-03-18T18:15:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the detection rule to exclude legitimate system-to-system process acces...
2026-03-18T18:15:10
FusionSOC
Response action queued: recommended on Tune the detection rule to exclude legitimate system-to-system process access.
2026-03-18T18:15:10
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:15:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:15:10
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:15:10
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:15:10
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:11:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:11:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelists or tuning should be considered for legitimate security tools accessin...
2026-03-18T18:11:50
FusionSOC
Response action queued: recommended on Whitelists or tuning should be considered for legitimate security tools accessing lsass.exe.
2026-03-18T18:11:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:11:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required; this is a known false positive scenario for this rule. **Sen...
2026-03-18T18:11:50
FusionSOC
Response action queued: recommended on No action required; this is a known false positive scenario for this rule.
2026-03-18T18:11:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T18:11:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T18:11:50
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T18:11:50
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T18:11:50
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T18:11:50
FusionSOC AI
Detection 29251b55-ab3d-4e24-ae97-b4b169badcf1 triaged as false_positive (low severity, confidence: 94%)
2026-03-18T18:11:50
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed