Has anyone seen a false flag for "WIN-CAC-NET-CONNECTION-NO-CMDLINE-1.star"

I'm running into an issue where sophos flags dllhost.exe as suspicious because it runs with no command line arguments. That IS suspicious, my issue is that when I dug into it, that particular process ID it flags on my end does have a command line argument but only if I run process explorer as admin, if I run it with user rights, I see a blank command line argument. I THINK this is what is causing the false flag in sophos central. 

I'm wondering if anyone else has come across this and can shed some light on it? Does sophos run with admin credentials? 

BELOW IS USER

BELOW IS ADMIN

I've attached some images showing what I mean.

Thanks in advance! 



Edited tags
[edited by: Gladys at 8:04 AM (GMT -7) on 27 Jun 2023]
Parents Reply Children
  • Hey Qoosh, I appreciate the reply! Its not that I'm running any sort of command, this is an automated process. svchost launches dllhost, in the case above, this particular launching of dllhost (pid: 3456) by windows is repledged, so even when logged in as an admin and viewing the process, the command line is blank. Only when you specifically escalate out of the "user" profile (even if its an admin user) do you get to see the actual command line running here. 

    So my thought process is if I have to escalate manually to see it, even as an admin, sophos, even with proper admin rights provided, would likely need to as well. So sophos simply does not have the rights to view this command line, and falsely marks it as blank, when in all reality, it is not blank.