โ
Case #571
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 93% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpCmdRun.exe
HASH:
3b5b209292376581b6effa0037a37cd5f431c9626f079d385761454c039a9912
PROCESS_ID:
17988
IOCs:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpCmdRun.exe
3b5b209292376581b6effa0037a37cd5f431c9626f079d385761454c039a9912
MITRE:
T1059
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpCmdRun.exe",
"HASH": "3b5b209292376581b6effa0037a37cd5f431c9626f079d385761454c039a9912",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "67689e46-71e2-47ea-a5e2-9e2f35f601f1",
"event_time": 1774468112518,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 3739,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "e7b5290a9307e383c98404ee69c43c13"
}
},
"detect_id": "b9a21b02-b2b9-4d21-be10-a8d669c43c14",
"gen_time": 1774468116258,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468112\u0026selected=e7b5290a9307e383c98404ee69c43c13",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "67689e46-71e2-47ea-a5e2-9e2f35f601f1",
"event_time": 1774468112518,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 3739,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "e7b5290a9307e383c98404ee69c43c13"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468116000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 70
}
}
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate system update or maintenance activity staging files in a temporary directory.",
"investigation_questions": [
"Was there a simultaneous Windows Defender or Windows Update event recorded in the system logs?",
"Is the file digitally signed by Microsoft?"
],
"ioc_analysis": "The file \u0027MpCmdRun.exe\u0027 is a known-good Microsoft binary. The path \u0027C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\\u0027 is consistent with temporary staging during OS or security software updates. No malicious command-line arguments or anomalous behaviors were associated with this specific file write event.",
"iocs_extracted": [
"C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpCmdRun.exe",
"3b5b209292376581b6effa0037a37cd5f431c9626f079d385761454c039a9912"
],
"mitre_techniques": [
"T1059"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelist MpCmdRun.exe in standard Windows temporary update directories if this rule continues to trigger frequently.",
"Verify the digital signature of the staged binary to ensure it is signed by Microsoft."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on a file write of MpCmdRun.exe in C:\\Windows\\Temp, which is a common staging location for Windows Defender and Windows Update operations. MpCmdRun.exe is a legitimate Microsoft Malware Protection Command Line Utility, and its presence in a GUID-based subdirectory within the Temp folder aligns with standard system maintenance and update behavior.\n\n**IOC Analysis:** The file \u0027MpCmdRun.exe\u0027 is a known-good Microsoft binary. The path \u0027C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\\u0027 is consistent with temporary staging during OS or security software updates. No malicious command-line arguments or anomalous behaviors were associated with this specific file write event.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection of MpCmdRun.exe in C:\\Windows\\Temp is a known false positive for Windows Defender update operations. The process is legitimate Microsoft software and the investigation confirmed no suspicious activity.\n\n**IOC Analysis:** MpCmdRun.exe is a legitimate Windows Defender component used for malware protection updates. Its presence in the Temp folder with a GUID subdirectory is standard behavior for Windows Update and Defender maintenance tasks. The associated child process MpSigStub.exe also confirms this as a Microsoft-signed update operation.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event flagged a file write of MpCmdRun.exe, a legitimate Microsoft tool for malware protection, in a temporary directory. Investigation confirmed no malicious activity, as it aligns with standard Windows update behavior.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\Temp\\... is a common staging location for system updates, and MpCmdRun.exe is a known legitimate binary for Windows Defender. The hash matches a Microsoft-signed file, and no malicious indicators were found. The process spawned MpSigStub.exe, which is also legitimate for update-related tasks.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-25T22:27
๐ค FusionSOC AI
2026-03-25T22:27
๐ค FusionSOC AI
2026-03-25T22:27
๐ค FusionSOC AI
2026-03-25T22:27
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:27:28
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 95% c...
2026-03-25T22:27:13
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:27:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:27:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify the digital signature of the staged binary to ensure it is signed by Micr...
2026-03-25T22:27:13
FusionSOC
Response action queued: recommended on Verify the digital signature of the staged binary to ensure it is signed by Microsoft.
2026-03-25T22:27:13
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:27:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:27:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist MpCmdRun.exe in standard Windows temporary update directories if this ...
2026-03-25T22:27:12
FusionSOC
Response action queued: recommended on Whitelist MpCmdRun.exe in standard Windows temporary update directories if this rule continues to trigger frequently.
2026-03-25T22:27:12
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:27:12
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:27:12
FusionSOC AI
Detection b9a21b02-b2b9-4d21-be10-a8d669c43c14 triaged as false_positive (low severity, confidence: 95%)
2026-03-25T22:27:12
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB