โ
Case #564
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 97% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\x86\MpCmdRun.exe
HASH:
58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164
PROCESS_ID:
17988
IOCs:
58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\x86\\MpCmdRun.exe",
"HASH": "58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c87a5fc7-35e4-4a08-8499-e338a2f77258",
"event_time": 1774468116001,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6329,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "7c581c551d21abed32cb331369c43c19"
}
},
"detect_id": "e09f924d-7895-47e3-a1cd-ef7569c43c1a",
"gen_time": 1774468122331,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468116\u0026selected=7c581c551d21abed32cb331369c43c19",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "c87a5fc7-35e4-4a08-8499-e338a2f77258",
"event_time": 1774468116001,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6329,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "7c581c551d21abed32cb331369c43c19"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468122000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.967,
"false_positive_reason": "Legitimate system binary extraction during Microsoft Defender update",
"investigation_questions": [
"Is this part of a scheduled Microsoft Defender update?"
],
"ioc_analysis": "The hash 58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164 is verified as a legitimate, Microsoft-signed binary for MpCmdRun.exe with 0/72 malicious detections on VirusTotal. The file path C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\x86\\MpCmdRun.exe is a standard temporary location used during system updates.",
"iocs_extracted": [
"58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No further action required",
"Consider tuning the \u0027NEW FILE WRITE BYTES SAMPLE GRAB\u0027 rule to exclude Microsoft-signed binaries in C:\\Windows\\Temp if noise persists"
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on a legitimate Microsoft Malware Protection Command Line Utility (MpCmdRun.exe) being written to a temporary directory. This behavior is characteristic of a standard Microsoft Defender Antimalware Platform update process where binaries are extracted to a temporary GUID-named folder before execution.\n\n**IOC Analysis:** The hash 58e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164 is verified as a legitimate, Microsoft-signed binary for MpCmdRun.exe with 0/72 malicious detections on VirusTotal. The file path C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\x86\\MpCmdRun.exe is a standard temporary location used during system updates.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive triggered by legitimate Microsoft Defender update processes extracting binaries to temporary folders. The process MpCmdRun.exe is a known Windows system binary running from its expected location during updates.\n\n**IOC Analysis:** The file path C:\\Windows\\Temp\\...\\MpCmdRun.exe is standard behavior for Microsoft Defender signature updates. The hash matches known legitimate Microsoft binaries, and the process spawned a child (MpSigStub.exe) which is also part of the legitimate update mechanism. No suspicious activity was detected during investigation.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive as MpCmdRun.exe is a legitimate Microsoft binary used for Windows Defender updates, commonly found in temporary locations during system maintenance.\n\n**IOC Analysis:** The FILE_PATH \u0027C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\x86\\MpCmdRun.exe\u0027 is in a temporary directory, which is standard for Microsoft Defender updates. The HASH \u002758e53bc3063592707395ca724ebd2cf179229803820a514362ff74386ab92164\u0027 is verified as a legitimate Microsoft binary with no malicious detections. The process is spawned by a legitimate system process and shows no malicious activity.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (informational, 95% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-25T22:58
๐ค FusionSOC AI
2026-03-25T22:57
๐ค FusionSOC AI
2026-03-25T22:57
๐ค FusionSOC AI
2026-03-25T22:01
๐ค FusionSOC AI
2026-03-25T22:01
๐ค FusionSOC AI
2026-03-25T22:00
๐ค FusionSOC AI
2026-03-25T22:00
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:58:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 100% ...
2026-03-25T22:57:59
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:57:59
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-25T22:57:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude Microsoft-sign...
2026-03-25T22:57:57
FusionSOC
Response action queued: recommended on Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude Microsoft-signed binaries in C:\Windows\Temp if noise persists
2026-03-25T22:57:57
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:57:57
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:57:57
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further action required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/...
2026-03-25T22:57:57
FusionSOC
Response action queued: recommended on No further action required
2026-03-25T22:57:57
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:57:56
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:01:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 100% ...
2026-03-25T22:01:01
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:01:01
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-25T22:01:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Tune the detection rule 'general.NEW FILE WRITE BYTES SAMPLE GRAB' to exclu...
2026-03-25T22:00:59
FusionSOC
Response action queued: recommended on Tune the detection rule 'general.NEW FILE WRITE BYTES SAMPLE GRAB' to exclude known Microsoft-signed binaries in temporary update directories.
2026-03-25T22:00:59
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:00:59
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:00:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this case as a false positive. **Sensor:** `ed8f7c3f-3a1a-49...` **Time Wi...
2026-03-25T22:00:58
FusionSOC
Response action queued: recommended on Close this case as a false positive.
2026-03-25T22:00:58
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:00:58
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:00:58
FusionSOC AI
Detection e09f924d-7895-47e3-a1cd-ef7569c43c1a triaged as false_positive (low severity, confidence: 100%)
2026-03-25T22:00:58
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB