โ
Case #461
service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Change PowerShell Policies to an Insecure Level
low
Rule: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 92% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\147.0.7727.3\' -Force
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
58789888
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
41768
THREADS:
29
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'}
{'type': 'hash', 'value': '3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Change PowerShell Policies to an Insecure Level",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion\u0027 -Target \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\147.0.7727.3\\\u0027 -Force",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 58789888,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 41768,
"THREADS": 29,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "f71eb6dd-fabd-4b8b-bdba-39cdde8db667",
"event_time": 1774296672849,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -153,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "aceebfabbf4d8db073e2635169c19e61"
}
},
"detect_id": "46ff516c-ca23-4baf-ae63-7f6069c19e60",
"detect_mtd": {
"author": "frack113",
"description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"falsepositives": [
"Administrator scripts"
],
"level": "medium",
"references": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
"https://adsecurity.org/?p=2604",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296672696,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296672\u0026selected=aceebfabbf4d8db073e2635169c19e61",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "f71eb6dd-fabd-4b8b-bdba-39cdde8db667",
"event_time": 1774296672849,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -153,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "aceebfabbf4d8db073e2635169c19e61"
},
"rule_tags": [
"attack.execution",
"attack.t1059.001",
"ext:ext-sigma"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
"ts": 1774296672000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": "PowerShell executed by msiexec.exe under SYSTEM context with correct file path and Microsoft signature is a common benign scenario during software installation",
"investigation_questions": [
"Is Chrome Remote Desktop installed on this system?",
"What Windows Update or maintenance operation triggered this MSIExec process?"
],
"ioc_analysis": "The PowerShell executable is located in C:\\Windows\\SysWOW64\\ which is the correct path for 32-bit system binaries. The process is signed (FILE_IS_SIGNED: 1) and has a known Microsoft hash. The parent process is msiexec.exe, indicating this is part of a Windows Installer operation. The command creates a symbolic link for Chrome Remote Desktop, which is a legitimate software component.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
},
{
"type": "hash",
"value": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Log this event as a false positive in the SIEM",
"Verify Chrome Remote Desktop installation is legitimate",
"Monitor for similar PowerShell execution from trusted sources"
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive because the process is running from its expected location (SysWOW64), is Microsoft-signed, and is executing under SYSTEM context during a legitimate Windows Update or maintenance operation initiated by MSIExec.\n\n**IOC Analysis:** The PowerShell executable is located in C:\\Windows\\SysWOW64\\ which is the correct path for 32-bit system binaries. The process is signed (FILE_IS_SIGNED: 1) and has a known Microsoft hash. The parent process is msiexec.exe, indicating this is part of a Windows Installer operation. The command creates a symbolic link for Chrome Remote Desktop, which is a legitimate software component.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe event involves a legitimate PowerShell process creating a symbolic link, likely part of Chrome Remote Desktop installation or update, with no malicious indicators detected. The process is running from a known system directory and is signed, making it unlikely to be malicious.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a known Microsoft binary located in the expected directory for 32-bit system files. It is signed, confirming its legitimacy. The command line is performing a symbolic link operation, which is common in software updates and is not inherently malicious. The parent process MsiExec.exe is also legitimate and signed, supporting the benign nature.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T13:46
๐ค FusionSOC AI
2026-03-24T13:46
๐ค FusionSOC AI
2026-03-24T13:46
๐ค FusionSOC AI
2026-03-24T13:46
๐ค FusionSOC AI
2026-03-24T13:46
๐ Timeline
2026-03-24T13:58:53
analyst
Status changed: investigating โ closed
2026-03-24T13:58:48
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:46:47
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:46:47
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:46:47
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Monitor for similar PowerShell execution from trusted sources **Sensor:** `8f3a4...
2026-03-24T13:46:47
FusionSOC
Response action queued: recommended on Monitor for similar PowerShell execution from trusted sources
2026-03-24T13:46:47
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:46:47
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:46:47
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify Chrome Remote Desktop installation is legitimate **Sensor:** `8f3a47be-56...
2026-03-24T13:46:47
FusionSOC
Response action queued: recommended on Verify Chrome Remote Desktop installation is legitimate
2026-03-24T13:46:47
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:46:47
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:46:47
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log this event as a false positive in the SIEM **Sensor:** `8f3a47be-5629-4c...`...
2026-03-24T13:46:46
FusionSOC
Response action queued: recommended on Log this event as a false positive in the SIEM
2026-03-24T13:46:46
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:46:46
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:46:46
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:46:46
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:46:46
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:46:46
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:46:46
FusionSOC AI
Detection 46ff516c-ca23-4baf-ae63-7f6069c19e60 triaged as false_positive (low severity, confidence: 92%)
2026-03-24T13:46:46
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level