โ
Case #397
general.Sensitive Process Accessed
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Sensitive Process Accessed
low
Rule: general.Sensitive Process Accessed
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: SENSITIVE_PROCESS_ACCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
EVENTS:
[{'event': {'BASE_ADDRESS': 140702525030400, 'COMMAND_LINE': 'C:\\WINDOWS\\system32\\lsass.exe', 'CREATION_TIME': 1773245868875, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\system32\\lsass.exe', 'HASH': '055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115', 'MEMORY_USAGE': 19705856, 'PARENT': {'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe', 'HASH': 'ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857', 'MEMORY_USAGE': 7323648, 'PARENT_PROCESS_ID': 720, 'PROCESS_ID': 840, 'THIS_ATOM': '58b1f2a11a942a48999a6fbd69b1964c', 'THREADS': 1, 'TIMESTAMP': 1773246028618, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'PARENT_PROCESS_ID': 840, 'PROCESS_ID': 980, 'THREADS': 16, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'routing': {'arch': 2, 'did': '', 'event_id': '616a7e97-899a-4409-a230-6aae8c64e87d', 'event_time': 1773246029212, 'event_type': 'EXISTING_PROCESS', 'ext_ip': '23.128.32.10', 'hostname': 'desktop-3nfb237', 'iid': 'b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175', 'int_ip': '192.168.50.40', 'latency': 655772604, 'moduleid': 2, 'oid': 'd3541070-8b0e-4663-8a6a-aa0727aacd36', 'parent': '58b1f2a11a942a48999a6fbd69b1964c', 'plat': 268435456, 'sid': 'ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136', 'tags': ['fusion-soc-alert', 'fusion-soc-case', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusionsoc-critical', 'fusionsoc-high', 'fusionsoc-investigated', 'qucikbooks', 'windows', 'yara_detection_memory'], 'this': 'b2fe617fb2365f162bc5846069b1964d'}}, {'event': {'ACCESS_FLAGS': 2097151, 'PARENT_PROCESS_ID': 9256, 'PROCESS_ID': 980, 'SOURCE': {'BASE_ADDRESS': 9633792, 'COMMAND_LINE': '"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe" "en" "C:\\ProgramData\\Dell\\SupportAssist\\Agent\\Certificate\\SRE\\e231b57f-d97f-475d-bd70-e5b839232e92.pfx" "127.0.0.1:10528" "5ce2f89a-f6dd-497e-a5d6-38e955aaf176" "false"', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe', 'HASH': '4209038199a68a376fc84137887a18bbeb149f54ad610645f2d585c44a569f31', 'MEMORY_USAGE': 4648960, 'PARENT_ATOM': '7a1843f3f92f80d78b404bd469bb9681', 'PARENT_PROCESS_ID': 12556, 'PROCESS_ID': 9256, 'THIS_ATOM': '6b4a9782c9cf20e12a85883e69bb96e1', 'THREADS': 4, 'TIMESTAMP': 1773901536063, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}, 'TARGET': {'BASE_ADDRESS': 140702525030400, 'COMMAND_LINE': 'C:\\WINDOWS\\system32\\lsass.exe', 'CREATION_TIME': 1773245868875, 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\system32\\lsass.exe', 'HASH': '055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115', 'MEMORY_USAGE': 19705856, 'PARENT_ATOM': '58b1f2a11a942a48999a6fbd69b1964c', 'PARENT_PROCESS_ID': 840, 'PROCESS_ID': 980, 'THIS_ATOM': 'b2fe617fb2365f162bc5846069b1964d', 'THREADS': 16, 'TIMESTAMP': 1773246029212, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}}, 'routing': {'arch': 2, 'did': '', 'event_id': 'a423370b-d20a-4107-83ac-2db49ca1fa7b', 'event_time': 1773901801407, 'event_type': 'REMOTE_PROCESS_HANDLE', 'ext_ip': '23.128.32.10', 'hostname': 'desktop-3nfb237', 'iid': 'b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175', 'int_ip': '192.168.50.40', 'latency': 409, 'moduleid': 2, 'oid': 'd3541070-8b0e-4663-8a6a-aa0727aacd36', 'parent': '6b4a9782c9cf20e12a85883e69bb96e1', 'plat': 268435456, 'sid': 'ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136', 'tags': ['fusion-soc-alert', 'fusion-soc-case', 'fusion-soc-pulled', 'fusion-soc-triage', 'fusionsoc-critical', 'fusionsoc-high', 'fusionsoc-investigated', 'qucikbooks', 'windows', 'yara_detection_memory'], 'target': 'b2fe617fb2365f162bc5846069b1964d', 'this': 'ede66f9d18faa7941faad9cb69bb97ea'}}]
IOCs:
055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115
ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857
C:\WINDOWS\system32\lsass.exe
MITRE:
T1003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Sensitive Process Accessed",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140702525030400,
"COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
"CREATION_TIME": 1773245868875,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
"HASH": "055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"MEMORY_USAGE": 19705856,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume3\\Windows\\System32\\wininit.exe",
"HASH": "ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857",
"MEMORY_USAGE": 7323648,
"PARENT_PROCESS_ID": 720,
"PROCESS_ID": 840,
"THIS_ATOM": "58b1f2a11a942a48999a6fbd69b1964c",
"THREADS": 1,
"TIMESTAMP": 1773246028618,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 840,
"PROCESS_ID": 980,
"THREADS": 16,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "616a7e97-899a-4409-a230-6aae8c64e87d",
"event_time": 1773246029212,
"event_type": "EXISTING_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 655772604,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "58b1f2a11a942a48999a6fbd69b1964c",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "b2fe617fb2365f162bc5846069b1964d"
}
},
{
"event": {
"ACCESS_FLAGS": 2097151,
"PARENT_PROCESS_ID": 9256,
"PROCESS_ID": 980,
"SOURCE": {
"BASE_ADDRESS": 9633792,
"COMMAND_LINE": "\"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe\" \"en\" \"C:\\ProgramData\\Dell\\SupportAssist\\Agent\\Certificate\\SRE\\e231b57f-d97f-475d-bd70-e5b839232e92.pfx\" \"127.0.0.1:10528\" \"5ce2f89a-f6dd-497e-a5d6-38e955aaf176\" \"false\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe",
"HASH": "4209038199a68a376fc84137887a18bbeb149f54ad610645f2d585c44a569f31",
"MEMORY_USAGE": 4648960,
"PARENT_ATOM": "7a1843f3f92f80d78b404bd469bb9681",
"PARENT_PROCESS_ID": 12556,
"PROCESS_ID": 9256,
"THIS_ATOM": "6b4a9782c9cf20e12a85883e69bb96e1",
"THREADS": 4,
"TIMESTAMP": 1773901536063,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"TARGET": {
"BASE_ADDRESS": 140702525030400,
"COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
"CREATION_TIME": 1773245868875,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
"HASH": "055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"MEMORY_USAGE": 19705856,
"PARENT_ATOM": "58b1f2a11a942a48999a6fbd69b1964c",
"PARENT_PROCESS_ID": 840,
"PROCESS_ID": 980,
"THIS_ATOM": "b2fe617fb2365f162bc5846069b1964d",
"THREADS": 16,
"TIMESTAMP": 1773246029212,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "a423370b-d20a-4107-83ac-2db49ca1fa7b",
"event_time": 1773901801407,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 409,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "6b4a9782c9cf20e12a85883e69bb96e1",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "ede66f9d18faa7941faad9cb69bb97ea"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "71902401-b46b-4691-a8c1-5d0fc0297bd3",
"event_time": 1773901802000,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": -183,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "6b4a9782c9cf20e12a85883e69bb96e1",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "c300c36d4d165c6f9e249e0a69bb97ea"
}
},
"detect_id": "47853d65-7d98-4dca-800b-4ff369bb97e9",
"gen_time": 1773901801819,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1773901802\u0026selected=c300c36d4d165c6f9e249e0a69bb97ea",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "71902401-b46b-4691-a8c1-5d0fc0297bd3",
"event_time": 1773901802000,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": -183,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "6b4a9782c9cf20e12a85883e69bb96e1",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"target": "b2fe617fb2365f162bc5846069b1964d",
"this": "c300c36d4d165c6f9e249e0a69bb97ea"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.Sensitive Process Accessed",
"ts": 1773901804000
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system binary activity: \u0027lsass.exe\u0027 being initialized by \u0027wininit.exe\u0027 during startup.",
"investigation_questions": [
"Are there any instances of \u0027lsass.exe\u0027 being accessed by non-system processes (e.g., from outside System32)?"
],
"ioc_analysis": "The binary \u0027lsass.exe\u0027 (Hash: 055a1226...) is a legitimate Windows system component running from \u0027C:\\WINDOWS\\system32\\\u0027. It is digitally signed and verified. The parent process \u0027wininit.exe\u0027 (Hash: ba26910b...) is also a verified system binary and is the expected parent for the LSASS service.",
"iocs_extracted": [
"055a1226a769948a79ed0972bdee2d91937c4b521e0b9046f9b8ccc63d110115",
"ba26910be549b8700c08fbe2f160952288864470a30dd35c3c6b7782f7dbf857",
"C:\\WINDOWS\\system32\\lsass.exe"
],
"mitre_techniques": [
"T1003"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Adjust the detection rule to exclude legitimate system startup behavior where \u0027wininit.exe\u0027 spawns \u0027lsass.exe\u0027.",
"Whitelist the specific Microsoft-signed hash if it persists as a noise source."
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection \u0027Sensitive Process Accessed\u0027 was triggered by the standard operation of \u0027lsass.exe\u0027 (Local Security Authority Subsystem Service). The process is located in the correct system directory, is properly signed by Microsoft, and was spawned by its legitimate parent process, \u0027wininit.exe\u0027, which is normal behavior for the Windows boot sequence.\n\n**IOC Analysis:** The binary \u0027lsass.exe\u0027 (Hash: 055a1226...) is a legitimate Windows system component running from \u0027C:\\WINDOWS\\system32\\\u0027. It is digitally signed and verified. The parent process \u0027wininit.exe\u0027 (Hash: ba26910b...) is also a verified system binary and is the expected parent for the LSASS service.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event flags lsass.exe access, but the process is running from its expected location in System32 and is Microsoft-signed. The parent process chain (wininit.exe -\u003e lsass.exe) is consistent with normal Windows boot behavior.\n\n**IOC Analysis:** lsass.exe is a legitimate Windows system binary responsible for handling security authentication. It is located at C:\\WINDOWS\\system32\\lsass.exe, which matches known-good system binary locations. The file hash corresponds to the official Microsoft-signed version of lsass.exe, and FILE_IS_SIGNED confirms digital signature validation passed.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a legitimate Windows system process, lsass.exe, running from the expected System32 directory and signed by Microsoft. This is likely a false positive due to the process being a core system binary with no malicious indicators.\n\n**IOC Analysis:** The IOC FILE_PATH is C:\\Windows\\System32\\lsass.exe, which is a known good Windows system binary located in the expected directory. The HASH matches a known Microsoft-signed binary, and FILE_IS_SIGNED is 1, confirming its legitimacy. The parent process, wininit.exe, is also a legitimate system binary, aligning with false positive scenarios for system processes.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (informational, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | approved | โ | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-23T03:05
๐ค FusionSOC AI
2026-03-23T03:05
๐ค FusionSOC AI
2026-03-23T03:05
๐ค FusionSOC AI
2026-03-19T06:44
๐ Timeline
2026-03-23T03:53:07
analyst
Status changed: investigating โ closed
2026-03-23T03:05:54
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T03:05:54
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-23T03:05:54
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Whitelist the specific Microsoft-signed hash if it persists as a noise source. **Sens...
2026-03-23T03:05:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T03:05:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T03:05:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Adjust the detection rule to exclude legitimate system startup behavior where 'w...
2026-03-23T03:05:47
FusionSOC AI
Status changed: closed โ investigating
2026-03-23T03:05:47
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T03:05:47
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `ed8f7c3f-3a1a-4...
2026-03-19T17:18:21
analyst
Status changed: triaging โ closed
2026-03-19T17:18:17
analyst
Analyst classified as False Positive (FP)
2026-03-19T06:44:06
FusionSOC
Response action queued: recommended on Whitelist the specific Microsoft-signed hash if it persists as a noise source.
2026-03-19T06:44:06
FusionSOC
Response action queued: recommended on Adjust the detection rule to exclude legitimate system startup behavior where 'wininit.exe' spawns 'lsass.exe'.
2026-03-19T06:44:06
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-19T06:44:06
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-19T06:44:06
FusionSOC AI
Detection 47853d65-7d98-4dca-800b-4ff369bb97e9 triaged as false_positive (low severity, confidence: 95%)
2026-03-19T06:44:06
FusionSOC AI
Case created from detection: general.Sensitive Process Accessed