โ
Case #4657
general.fusionsoc-t1547-boot-logon-autostart-execution
๐ท๏ธ Analyst Verdict Classification
๐ค AI Analysis
๐ Detections (1)
fusionsoc-t1547-boot-logon-autostart-execution
high
Rule: general.fusionsoc-t1547-boot-logon-autostart-execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 62% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
140698254573568
COMMAND_LINE:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2260,i,8110572968727950405,1358730532997457801,262144 --field-trial-handle=2468,i,7909808609186306790,9628827707749876225,262144 --variations-seed-version --pseudonymization-salt-handle=2464,i,4313559656419908807,17575802231718763017,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
HASH:
b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e
MEMORY_USAGE:
58253312
PARENT:
{'BASE_ADDRESS': 140698254573568, 'COMMAND_LINE': '"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', 'HASH': 'b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e', 'MEMORY_USAGE': 146931712, 'PARENT_ATOM': '14c92a9e89ab84bc90b20ad96a117414', 'PARENT_PROCESS_ID': 68792, 'PROCESS_ID': 80084, 'THIS_ATOM': '8dc3c24f484aaa644ebb48b06a119e45', 'THREADS': 61, 'TIMESTAMP': 1779539524791, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
80084
PROCESS_ID:
83472
THREADS:
14
USER_NAME:
DESKTOP-ATSEPSK\Joy Howell
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "turbo-threads-api",
"cat": "fusionsoc-t1547-boot-logon-autostart-execution",
"detect": {
"event": {
"BASE_ADDRESS": 140698254573568,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2260,i,8110572968727950405,1358730532997457801,262144 --field-trial-handle=2468,i,7909808609186306790,9628827707749876225,262144 --variations-seed-version --pseudonymization-salt-handle=2464,i,4313559656419908807,17575802231718763017,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e",
"MEMORY_USAGE": 58253312,
"PARENT": {
"BASE_ADDRESS": 140698254573568,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --flag-switches-begin --flag-switches-end --no-startup-window",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e",
"MEMORY_USAGE": 146931712,
"PARENT_ATOM": "14c92a9e89ab84bc90b20ad96a117414",
"PARENT_PROCESS_ID": 68792,
"PROCESS_ID": 80084,
"THIS_ATOM": "8dc3c24f484aaa644ebb48b06a119e45",
"THREADS": 61,
"TIMESTAMP": 1779539524791,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 80084,
"PROCESS_ID": 83472,
"THREADS": 14,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "b0edf70a-ec9c-447e-bb0b-edd7a7c74613",
"event_time": 1779539525413,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1063,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8dc3c24f484aaa644ebb48b06a119e45",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "7beab5bbfbe641f7d0bd235a6a119e46"
}
},
"detect_id": "927da6e4-126f-4ccb-8ea1-c53c6a119e46",
"gen_time": 1779539526476,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1779539525\u0026selected=7beab5bbfbe641f7d0bd235a6a119e46",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "b0edf70a-ec9c-447e-bb0b-edd7a7c74613",
"event_time": 1779539525413,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1063,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8dc3c24f484aaa644ebb48b06a119e45",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "7beab5bbfbe641f7d0bd235a6a119e46"
},
"rule_tags": [
"attack.t1547",
"attack.persistence"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.fusionsoc-t1547-boot-logon-autostart-execution",
"ts": 1779539526000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.617,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 27,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detected process is Microsoft Edge\u0027s GPU process, which is expected to run from the specified path and command line.\n\n**IOC Analysis:** The file path and hash match legitimate Microsoft Edge binaries, and the process tree shows typical behavior for Edge processes.\n\n---\n\n### \ud83e\udd16 deepseek-r1:16b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves msedge.exe, a legitimate Microsoft Edge process, running under a user account. The file is signed, and the path is within the expected Program Files directory. The process is part of normal user activity, and historical data shows similar events have been marked as false positives.\n\n**IOC Analysis:** The file path is located in C:\\Program Files (x86)\\Microsoft\\Edge, which is a known legitimate location for Microsoft software. The file is signed (FILE_IS_SIGNED=1), indicating it is a trusted Microsoft binary. The command line arguments are typical for Edge processes, including GPU preferences and metrics handling, which are standard for legitimate operation.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"qwen3.5:35b: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (low, 95% confidence)",
"deepseek-r1:16b +RAG: false_positive (informational, 90% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "qwen3.5:35b",
"verdict": "true_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:16b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (3)
๐ค FusionSOC AI
2026-05-23T12:39
๐ค FusionSOC AI
2026-05-23T12:39
๐ค FusionSOC AI
2026-05-23T12:39
๐ Timeline
2026-05-23T12:39:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - qwen3.5:35b: true_positive (medium, 0% ...
2026-05-23T12:39:32
FusionSOC AI
Status changed: open โ investigating
2026-05-23T12:39:32
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-05-23T12:39:32
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 ...
2026-05-23T12:39:32
FusionSOC
Response action queued: recommended on Manual review required
2026-05-23T12:39:32
FusionSOC
Action tag โ executed: Tag applied
2026-05-23T12:39:31
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-05-23T12:39:31
FusionSOC AI
Detection 927da6e4-126f-4ccb-8ea1-c53c6a119e46 triaged as true_positive (medium severity, confidence: 0%)
2026-05-23T12:39:31
FusionSOC AI
Case created from detection: general.fusionsoc-t1547-boot-logon-autostart-execution