โ†

Case #4697

general.fusionsoc-t1547-boot-logon-autostart-execution

high investigating true positive

๐Ÿท๏ธ Analyst Verdict Classification

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

fusionsoc-t1547-boot-logon-autostart-execution high
Rule: general.fusionsoc-t1547-boot-logon-autostart-execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 32% ยท Verdict: true positive
Event Data:
BASE_ADDRESS:
140698254573568
COMMAND_LINE:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
HASH:
b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e
MEMORY_USAGE:
156446720
PARENT:
{'BASE_ADDRESS': 140698254573568, 'COMMAND_LINE': '"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', 'HASH': 'b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e', 'MEMORY_USAGE': 12480512, 'PARENT_ATOM': '3a82f571dec444ace97aa14f6a11d686', 'PARENT_PROCESS_ID': 72428, 'PROCESS_ID': 70400, 'THIS_ATOM': '24fc532565c783c21281448c6a120ec6', 'THREADS': 4, 'TIMESTAMP': 1779568326459, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
70400
PROCESS_ID:
77836
THREADS:
63
USER_NAME:
DESKTOP-ATSEPSK\Joy Howell
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "turbo-threads-api",
  "cat": "fusionsoc-t1547-boot-logon-autostart-execution",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140698254573568,
      "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --flag-switches-begin --flag-switches-end --no-startup-window",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
      "HASH": "b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e",
      "MEMORY_USAGE": 156446720,
      "PARENT": {
        "BASE_ADDRESS": 140698254573568,
        "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --flag-switches-begin --flag-switches-end --no-startup-window",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
        "HASH": "b4ea52196967c69a61c114c9934950f511f26bded473107e1b6c37cd8a22bf9e",
        "MEMORY_USAGE": 12480512,
        "PARENT_ATOM": "3a82f571dec444ace97aa14f6a11d686",
        "PARENT_PROCESS_ID": 72428,
        "PROCESS_ID": 70400,
        "THIS_ATOM": "24fc532565c783c21281448c6a120ec6",
        "THREADS": 4,
        "TIMESTAMP": 1779568326459,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 70400,
      "PROCESS_ID": 77836,
      "THREADS": 63,
      "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "e9e78bb7-9a5b-4a97-9156-12639fc43020",
      "event_time": 1779582727252,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 1741,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "24fc532565c783c21281448c6a120ec6",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk"
      ],
      "this": "647ade908df1d862e991addf6a124708"
    }
  },
  "detect_id": "23e5be09-a815-42f8-a32d-68f76a124708",
  "gen_time": 1779582728997,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1779582727\u0026selected=647ade908df1d862e991addf6a124708",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "e9e78bb7-9a5b-4a97-9156-12639fc43020",
    "event_time": 1779582727252,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 1741,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "24fc532565c783c21281448c6a120ec6",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk"
    ],
    "this": "647ade908df1d862e991addf6a124708"
  },
  "rule_tags": [
    "attack.t1547",
    "attack.persistence"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.fusionsoc-t1547-boot-logon-autostart-execution",
  "ts": 1779582730000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 71
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.317,
  "false_positive_reason": null,
  "investigation_questions": [],
  "ioc_analysis": "",
  "iocs_extracted": [],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Manual review required"
  ],
  "risk_score": 20,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process is a legitimate instance of Microsoft Edge running from its expected location and is signed by Microsoft.\n\n**IOC Analysis:** The file path and hash match the legitimate Microsoft Edge executable, and the process is signed, indicating it is likely benign.\n\n---\n\n### \ud83e\udd16 deepseek-r1:16b Analysis (Secondary + RAG)\n**Verdict:** true_positive | **Confidence:** 0.0\nThe detection event involves the msedge.exe process, which is a legitimate Microsoft Edge application. The file is signed, and the file path is within the Program Files directory, indicating it\u0027s a known-good location. The process is spawned from another msedge.exe instance, which is typical for legitimate application behavior. Historical data shows this rule has only false positives for similar events. Therefore, this is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Program Files (x86)\\Microsoft\\Edge\\Application, which is a known legitimate location for Microsoft Edge. The FILE_IS_SIGNED is 1, indicating the binary is signed by Microsoft. The process is running under a legitimate user account, and the parent process is also msedge.exe, which is expected behavior for legitimate application processes. The hash value corresponds to a known Microsoft-signed binary.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "qwen3.5:35b: true_positive (medium, 0% confidence)",
      "qwen3.5:4b +RAG: false_positive (low, 95% confidence)",
      "deepseek-r1:16b +RAG: true_positive (critical|high|medium|low|informational, 0% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.0,
        "model": "qwen3.5:35b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.0,
        "had_rag": true,
        "model": "deepseek-r1:16b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated executed Tag applied
recommended Manual review required executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (3)

๐Ÿค– FusionSOC AI 2026-05-24T00:39
๐Ÿค– FusionSOC AI 2026-05-24T00:39
๐Ÿค– FusionSOC AI 2026-05-24T00:39

๐Ÿ“œ Timeline

2026-05-24T00:39:44
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ†’ TRUE POSITIVE) - qwen3.5:35b: true_positive (medium, 0% c...
2026-05-24T00:39:23
FusionSOC AI
Status changed: open โ†’ investigating
2026-05-24T00:39:23
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-05-24T00:39:23
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual review required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 ...
2026-05-24T00:39:22
FusionSOC
Response action queued: recommended on Manual review required
2026-05-24T00:39:22
FusionSOC
Action tag โ†’ executed: Tag applied
2026-05-24T00:39:22
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-05-24T00:39:22
FusionSOC AI
Detection 23e5be09-a815-42f8-a32d-68f76a124708 triaged as true_positive (medium severity, confidence: 0%)
2026-05-24T00:39:22
FusionSOC AI
Case created from detection: general.fusionsoc-t1547-boot-logon-autostart-execution