โ
Case #460
general.YARA Detection in Memory
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
YARA Detection in Memory - Windows_Trojan_Generic_9997489c
low
Rule: general.YARA Detection in Memory
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: YARA_DETECTION
Confidence: 96% ยท Verdict: false positive
Event Data:
PROCESS:
{'BASE_ADDRESS': 140702246764544, 'COMMAND_LINE': '"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe" "settings/services/configs/bdshieldsrv_config.json"', 'FILE_PATH': 'C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe', 'MEMORY_USAGE': 1918627840, 'PARENT_PROCESS_ID': 1680, 'PROCESS_ID': 6096, 'THREADS': 273, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PROCESS_ID:
6096
RULE_NAME:
Windows_Trojan_Generic_9997489c
IOCs:
C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe
MITRE:
T1059
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "YARA Detection in Memory - Windows_Trojan_Generic_9997489c",
"detect": {
"event": {
"PROCESS": {
"BASE_ADDRESS": 140702246764544,
"COMMAND_LINE": "\"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\" \"settings/services/configs/bdshieldsrv_config.json\"",
"FILE_PATH": "C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe",
"MEMORY_USAGE": 1918627840,
"PARENT_PROCESS_ID": 1680,
"PROCESS_ID": 6096,
"THREADS": 273,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PROCESS_ID": 6096,
"RULE_NAME": "Windows_Trojan_Generic_9997489c"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c9b1cc0b-2172-433b-807e-fd4a03dbbb91",
"event_time": 1774285253037,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 151,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows"
],
"this": "74f6feb8ae9c928c013f668069c171c5"
}
},
"detect_id": "71b1e008-7654-415a-a846-1e2069c171c5",
"gen_time": 1774285253188,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774285253\u0026selected=74f6feb8ae9c928c013f668069c171c5",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "c9b1cc0b-2172-433b-807e-fd4a03dbbb91",
"event_time": 1774285253037,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 151,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows"
],
"this": "74f6feb8ae9c928c013f668069c171c5"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.YARA Detection in Memory",
"ts": 1774285254000
}
๐ค Triage JSON
{
"confidence": 0.965,
"false_positive_reason": "Security software (Bitdefender) flagged by generic memory-based malware signature",
"investigation_questions": [
"Are there any other YARA rules currently flagging legitimate security software in the environment?"
],
"ioc_analysis": "The process \u0027bdservicehost.exe\u0027 is a known-good binary associated with Bitdefender Security. Its location in \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\\u0027 is the expected installation path. The command line shows standard service initialization using a JSON configuration file. Historical data confirms that this specific YARA rule has consistently produced false positives for this process in this environment.",
"iocs_extracted": [
"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe"
],
"mitre_techniques": [
"T1059"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close this alert as a false positive",
"Add an exclusion for the Bitdefender installation directory in the \u0027general.YARA Detection in Memory\u0027 rule to prevent future noise"
],
"risk_score": 6,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection triggered on a legitimate Bitdefender Security process (bdservicehost.exe) running from its standard installation directory. This is a characteristic false positive where generic memory-based YARA rules flag security software because they reside in memory and contain malware signatures used for detection purposes. No suspicious process behavior or child processes were observed.\n\n**IOC Analysis:** The process \u0027bdservicehost.exe\u0027 is a known-good binary associated with Bitdefender Security. Its location in \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\\u0027 is the expected installation path. The command line shows standard service initialization using a JSON configuration file. Historical data confirms that this specific YARA rule has consistently produced false positives for this process in this environment.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged Bitdefender\u0027s bdservicehost.exe as malicious based on a generic Trojan YARA rule, but the process is running from its expected location and is signed by a known vendor.\n\n**IOC Analysis:** The process bdservicehost.exe is a legitimate Bitdefender security service component. It is located in C:\\Program Files\\Bitdefender\\Bitdefender Security\\ which is an expected directory for installed software, not a system binary location like System32. However, the rule flagged it as Windows_Trojan_Generic_9997489c. Given that this is a known security vendor\u0027s process and the detection is from a generic Trojan rule, combined with historical analyst feedback indicating false positives for this rule type, this is likely a benign detection.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"gemini-cli: false_positive (low, 98% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-23T17:05
๐ค FusionSOC AI
2026-03-23T17:05
๐ค FusionSOC AI
2026-03-23T17:05
๐ค FusionSOC AI
2026-03-23T17:05
๐ Timeline
2026-03-23T17:07:02
analyst
Status changed: investigating โ closed
2026-03-23T17:06:58
analyst
Analyst classified as False Positive (FP)
2026-03-23T17:05:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T17:05:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T17:05:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Add an exclusion for the Bitdefender installation directory in the 'general.YARA...
2026-03-23T17:05:29
FusionSOC
Response action queued: recommended on Add an exclusion for the Bitdefender installation directory in the 'general.YARA Detection in Memory' rule to prevent future noise
2026-03-23T17:05:29
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T17:05:29
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T17:05:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive **Sensor:** `8f3a47be-5629-4c...` **Time Wi...
2026-03-23T17:05:29
FusionSOC
Response action queued: recommended on Close this alert as a false positive
2026-03-23T17:05:29
FusionSOC AI
Status changed: open โ investigating
2026-03-23T17:05:29
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T17:05:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-23T17:05:29
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-23T17:05:29
FusionSOC
Action tag โ executed: Tag applied
2026-03-23T17:05:29
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-23T17:05:29
FusionSOC AI
Detection 71b1e008-7654-415a-a846-1e2069c171c5 triaged as false_positive (low severity, confidence: 96%)
2026-03-23T17:05:29
FusionSOC AI
Case created from detection: general.YARA Detection in Memory