โ
Case #4496
general.fusionsoc-t1547-boot-logon-autostart-execution
๐ท๏ธ Analyst Verdict Classification
๐ค AI Analysis
๐ Detections (1)
fusionsoc-t1547-boot-logon-autostart-execution
high
Rule: general.fusionsoc-t1547-boot-logon-autostart-execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 57% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
140695559340032
COMMAND_LINE:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2936,i,15044578883430117282,18434198283900706484,524288 --field-trial-handle=2456,i,16848794899996132759,4193454385412676472,262144 --variations-seed-version --pseudonymization-salt-handle=2460,i,7771161663748813229,1717445998973907506,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2920 /prefetch:13
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
HASH:
47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b
MEMORY_USAGE:
20570112
PARENT:
{'BASE_ADDRESS': 140695559340032, 'COMMAND_LINE': '"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', 'HASH': '47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b', 'MEMORY_USAGE': 70316032, 'PARENT_ATOM': '19e075e5e961d5ca0f8767ed6a0f2569', 'PARENT_PROCESS_ID': 63200, 'PROCESS_ID': 70332, 'THIS_ATOM': 'e46d46dc7cc74f7f8d1eb2c86a0f4189', 'THREADS': 45, 'TIMESTAMP': 1779384713248, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
70332
PROCESS_ID:
57412
THREADS:
9
USER_NAME:
DESKTOP-ATSEPSK\Joy Howell
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "turbo-threads-api",
"cat": "fusionsoc-t1547-boot-logon-autostart-execution",
"detect": {
"event": {
"BASE_ADDRESS": 140695559340032,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2936,i,15044578883430117282,18434198283900706484,524288 --field-trial-handle=2456,i,16848794899996132759,4193454385412676472,262144 --variations-seed-version --pseudonymization-salt-handle=2460,i,7771161663748813229,1717445998973907506,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2920 /prefetch:13",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b",
"MEMORY_USAGE": 20570112,
"PARENT": {
"BASE_ADDRESS": 140695559340032,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --flag-switches-begin --flag-switches-end --no-startup-window",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b",
"MEMORY_USAGE": 70316032,
"PARENT_ATOM": "19e075e5e961d5ca0f8767ed6a0f2569",
"PARENT_PROCESS_ID": 63200,
"PROCESS_ID": 70332,
"THIS_ATOM": "e46d46dc7cc74f7f8d1eb2c86a0f4189",
"THREADS": 45,
"TIMESTAMP": 1779384713248,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 70332,
"PROCESS_ID": 57412,
"THREADS": 9,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "e011a7a4-be29-465f-887a-0ccca802a072",
"event_time": 1779384713712,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1634,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "e46d46dc7cc74f7f8d1eb2c86a0f4189",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows"
],
"this": "6a8dfe74938fa33e7292f64e6a0f418a"
}
},
"detect_id": "4a2c7c00-5609-458b-8db3-c8e26a0f418b",
"gen_time": 1779384715346,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1779384713\u0026selected=6a8dfe74938fa33e7292f64e6a0f418a",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "e011a7a4-be29-465f-887a-0ccca802a072",
"event_time": 1779384713712,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1634,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "e46d46dc7cc74f7f8d1eb2c86a0f4189",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows"
],
"this": "6a8dfe74938fa33e7292f64e6a0f418a"
},
"rule_tags": [
"attack.t1547",
"attack.persistence"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.fusionsoc-t1547-boot-logon-autostart-execution",
"ts": 1779384715000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.567,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 37,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe detected process is a legitimate instance of Microsoft Edge running from its expected location, and the parent process is also Microsoft Edge. This is consistent with normal user activity.\n\n**IOC Analysis:** The FILE_PATH and COMMAND_LINE indicate that this is a legitimate instance of Microsoft Edge. The hash matches a known, signed Microsoft binary, which is expected to be present on systems.\n\n---\n\n### \ud83e\udd16 deepseek-r1:16b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves the Microsoft Edge executable (msedge.exe) running from a legitimate system directory. The file is signed by Microsoft, and the process is part of normal Edge operations. Historical data shows similar events being marked as false positives, and no malicious activity was detected.\n\n**IOC Analysis:** FILE_PATH points to a known legitimate Microsoft Edge application. FILE_IS_SIGNED is true, indicating it\u0027s a signed binary from Microsoft. The process is running under a user account and is part of normal Edge operations.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"qwen3.5:35b: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (low, 80% confidence)",
"deepseek-r1:16b +RAG: false_positive (medium, 90% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "qwen3.5:35b",
"verdict": "true_positive"
},
{
"confidence": 0.8,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:16b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (3)
๐ค FusionSOC AI
2026-05-21T17:38
๐ค FusionSOC AI
2026-05-21T17:37
๐ค FusionSOC AI
2026-05-21T17:37
๐ Timeline
2026-05-21T17:38:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - qwen3.5:35b: true_positive (medium, 0% ...
2026-05-21T17:37:54
FusionSOC AI
Status changed: open โ investigating
2026-05-21T17:37:54
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-05-21T17:37:54
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 ...
2026-05-21T17:37:54
FusionSOC
Response action queued: recommended on Manual review required
2026-05-21T17:37:54
FusionSOC
Action tag โ executed: Tag applied
2026-05-21T17:37:54
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-05-21T17:37:53
FusionSOC AI
Detection 4a2c7c00-5609-458b-8db3-c8e26a0f418b triaged as true_positive (medium severity, confidence: 0%)
2026-05-21T17:37:53
FusionSOC AI
Case created from detection: general.fusionsoc-t1547-boot-logon-autostart-execution