โ
Case #406
general.New Process From Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
high
Rule: general.New Process From Atypical Path
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 88% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
140702213013504
COMMAND_LINE:
C:\Users\ADMINI~1\AppData\Local\Temp\303386E2-F60D-45F4-87F9-6013E8B5ABC5\dismhost.exe {C31366CC-61BF-49DD-BCDC-8705D004F689}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\ADMINI~1\AppData\Local\Temp\303386E2-F60D-45F4-87F9-6013E8B5ABC5\dismhost.exe
HASH:
0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32
MEMORY_USAGE:
8507392
PARENT:
{'BASE_ADDRESS': 140701916266496, 'COMMAND_LINE': 'C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\cleanmgr.exe', 'HASH': '1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b', 'MEMORY_USAGE': 14327808, 'PARENT_ATOM': '71eed11232f1cc1118c500a369bf04db', 'PARENT_PROCESS_ID': 1868, 'PROCESS_ID': 3572, 'THIS_ATOM': '0f9bee4dc06f3af09c4556ab69bf07d5', 'THREADS': 6, 'TIMESTAMP': 1774127060682, 'USER_NAME': 'DFLABSDC01\\Administrator'}
PARENT_PROCESS_ID:
3572
PROCESS_ID:
204
THREADS:
8
USER_NAME:
DFLABSDC01\Administrator
IOCs:
0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"BASE_ADDRESS": 140702213013504,
"COMMAND_LINE": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\303386E2-F60D-45F4-87F9-6013E8B5ABC5\\dismhost.exe {C31366CC-61BF-49DD-BCDC-8705D004F689}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\303386E2-F60D-45F4-87F9-6013E8B5ABC5\\dismhost.exe",
"HASH": "0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32",
"MEMORY_USAGE": 8507392,
"PARENT": {
"BASE_ADDRESS": 140701916266496,
"COMMAND_LINE": "C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\cleanmgr.exe",
"HASH": "1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b",
"MEMORY_USAGE": 14327808,
"PARENT_ATOM": "71eed11232f1cc1118c500a369bf04db",
"PARENT_PROCESS_ID": 1868,
"PROCESS_ID": 3572,
"THIS_ATOM": "0f9bee4dc06f3af09c4556ab69bf07d5",
"THREADS": 6,
"TIMESTAMP": 1774127060682,
"USER_NAME": "DFLABSDC01\\Administrator"
},
"PARENT_PROCESS_ID": 3572,
"PROCESS_ID": 204,
"THREADS": 8,
"USER_NAME": "DFLABSDC01\\Administrator"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "ad4405d7-14ac-4466-88f9-880e573dd5ca",
"event_time": 1774127062525,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2142,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "0f9bee4dc06f3af09c4556ab69bf07d5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "92e7fde741511de21ca0559269bf07d9"
}
},
"detect_id": "2f333c87-9d93-42b5-bf23-ac2969bf07d8",
"gen_time": 1774127064667,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774127062\u0026selected=92e7fde741511de21ca0559269bf07d9",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "ad4405d7-14ac-4466-88f9-880e573dd5ca",
"event_time": 1774127062525,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2142,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "0f9bee4dc06f3af09c4556ab69bf07d5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "92e7fde741511de21ca0559269bf07d9"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.New Process From Atypical Path",
"ts": 1774127064000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.883,
"false_positive_reason": "Legitimate Windows system maintenance behavior where DISM runs from a temporary path during Disk Cleanup operations.",
"investigation_questions": [],
"ioc_analysis": "The hash 0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32 is a verified legitimate Microsoft binary for dismhost.exe (version 10.0.17763.771). Both the parent process (cleanmgr.exe) and the child process (dismhost.exe) are digitally signed by Microsoft.",
"iocs_extracted": [
"0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32"
],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Close this alert as a false positive.",
"Tune the detection rule to exclude dismhost.exe when its parent process is cleanmgr.exe or when it is verified as a signed Microsoft binary."
],
"risk_score": 13,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe process dismhost.exe was spawned by cleanmgr.exe (Disk Cleanup) from a temporary directory, which is standard behavior for Windows system maintenance tasks. DISM frequently extracts itself to temporary locations to perform servicing operations such as cleaning up the WinSxS folder.\n\n**IOC Analysis:** The hash 0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32 is a verified legitimate Microsoft binary for dismhost.exe (version 10.0.17763.771). Both the parent process (cleanmgr.exe) and the child process (dismhost.exe) are digitally signed by Microsoft.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive because dismhost.exe is a legitimate Microsoft Windows component used for deployment and image management, often invoked by system maintenance tools like cleanmgr.exe.\n\n**IOC Analysis:** The process dismhost.exe is running from a temporary directory (AppData\\Local\\Temp) which is atypical but common for legitimate administrative tasks. The parent process is cleanmgr.exe from System32, indicating this is likely part of Windows Disk Cleanup or similar maintenance activity. The binary is signed and the command line includes a GUID parameter typical of DISM operations.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection flagged a new process from an atypical path, but dismhost.exe is a legitimate Microsoft tool for system repair, signed and invoked by cleanmgr.exe, a known system utility. However, the unusual location raises suspicion.\n\n**IOC Analysis:** The FILE_PATH is in C:\\Users\\AppData\\Local\\Temp, which is not a standard location for system binaries, but the hash matches a Microsoft-signed dismhost.exe. The parent process is cleanmgr.exe from C:\\Windows\\System32, which is legitimate, suggesting this could be a false positive or a benign system operation.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: suspicious (medium, 70% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.7,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-21T22:33
๐ค FusionSOC AI
2026-03-21T22:33
๐ค FusionSOC AI
2026-03-21T22:33
๐ค FusionSOC AI
2026-03-21T22:33
๐ Timeline
2026-03-22T06:09:46
analyst
Status changed: investigating โ closed
2026-03-22T06:09:43
analyst
Analyst classified as False Positive (FP)
2026-03-21T22:33:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-21T22:33:17
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-21T22:33:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the detection rule to exclude dismhost.exe when its parent process is c...
2026-03-21T22:33:16
FusionSOC
Response action queued: recommended on Tune the detection rule to exclude dismhost.exe when its parent process is cleanmgr.exe or when it is verified as a signed Microsoft binary.
2026-03-21T22:33:16
FusionSOC AI
Status changed: investigating โ investigating
2026-03-21T22:33:16
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T22:33:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive. **Sensor:** `e4a1c62d-4d1f-44...` **Time W...
2026-03-21T22:33:16
FusionSOC
Response action queued: recommended on Close this alert as a false positive.
2026-03-21T22:33:16
FusionSOC AI
Status changed: open โ investigating
2026-03-21T22:33:16
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T22:33:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (majority) **Sensor:** `e4a1c62d-4d1f...
2026-03-21T22:33:15
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (majority)
2026-03-21T22:33:15
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-21T22:33:15
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-21T22:33:15
FusionSOC AI
Detection 2f333c87-9d93-42b5-bf23-ac2969bf07d8 triaged as false_positive (high severity, confidence: 88%)
2026-03-21T22:33:15
FusionSOC AI
Case created from detection: general.New Process From Atypical Path