โ
Case #462
service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Non Interactive PowerShell Process Spawned
informational
Rule: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\147.0.7727.3\' -Force
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
58789888
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
41768
THREADS:
29
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\syswow64\MsiExec.exe
C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion
C:\Program Files (x86)\Google\Chrome Remote Desktop\147.0.7727.3\
MITRE:
T1059.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Non Interactive PowerShell Process Spawned",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion\u0027 -Target \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\147.0.7727.3\\\u0027 -Force",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 58789888,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 41768,
"THREADS": 29,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "f71eb6dd-fabd-4b8b-bdba-39cdde8db667",
"event_time": 1774296672849,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -153,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "aceebfabbf4d8db073e2635169c19e61"
}
},
"detect_id": "a15c0280-ccd3-4f4f-8a5a-6e3f69c19e60",
"detect_mtd": {
"author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"falsepositives": [
"Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
],
"level": "low",
"references": [
"https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296672697,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296672\u0026selected=aceebfabbf4d8db073e2635169c19e61",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "f71eb6dd-fabd-4b8b-bdba-39cdde8db667",
"event_time": 1774296672849,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -153,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "aceebfabbf4d8db073e2635169c19e61"
},
"rule_tags": [
"ext:ext-sigma",
"attack.execution",
"attack.t1059.001"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
"ts": 1774296672000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate software installation/update activity (Google Chrome Remote Desktop) via the Windows Installer service (MsiExec).",
"investigation_questions": [
"None"
],
"ioc_analysis": "The processes involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system binaries located in their expected system directories. The command line is specifically targeting the Google Chrome Remote Desktop installation path to manage version-specific symbolic links, which is a common administrative task for this application.",
"iocs_extracted": [
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"C:\\Windows\\syswow64\\MsiExec.exe",
"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion",
"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\147.0.7727.3\\"
],
"mitre_techniques": [
"T1059.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required",
"Consider tuning the detection rule to exclude MsiExec.exe as a parent when the command line targets known-good application installation paths like Google Chrome Remote Desktop."
],
"risk_score": 8,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThis detection is a false positive triggered by a legitimate software update for Google Chrome Remote Desktop. The Windows Installer (MsiExec.exe) spawned a non-interactive PowerShell process to create a symbolic link for the application\u0027s current version, which is standard behavior for this software during an update.\n\n**IOC Analysis:** The processes involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system binaries located in their expected system directories. The command line is specifically targeting the Google Chrome Remote Desktop installation path to manage version-specific symbolic links, which is a common administrative task for this application.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive where PowerShell was spawned by MSIExec to create a symbolic link for Google Chrome Remote Desktop installation. The process runs under SYSTEM with a known Microsoft-signed hash and follows expected Windows update/installation patterns.\n\n**IOC Analysis:** The PowerShell execution uses standard non-interactive flags (-NoLogo -NonInteractive -NoProfile) but is invoked by MSIExec.exe during legitimate software installation. The symbolic link creation targets an existing Google Chrome Remote Desktop directory, which is a common deployment pattern for remote access tools. The process hash matches the known Microsoft-signed version of PowerShell.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe PowerShell process was spawned by a legitimate MsiExec.exe process and is creating a symbolic link for Google Chrome Remote Desktop, which is likely part of normal system operation. Given the historical false positive rate for this detection rule, this event is deemed benign.\n\n**IOC Analysis:** The FILE_PATH is a legitimate PowerShell executable located in the expected directory (C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe), and it is signed. The command line targets Google Chrome Remote Desktop files, which are legitimate. The parent process, MsiExec.exe, is a known Microsoft-signed system binary, confirming the context is likely benign. The hash matches a known good signature.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T13:48
๐ค FusionSOC AI
2026-03-24T13:48
๐ค FusionSOC AI
2026-03-24T13:48
๐ค FusionSOC AI
2026-03-24T13:48
๐ Timeline
2026-03-24T13:58:53
analyst
Status changed: investigating โ closed
2026-03-24T13:58:48
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:48:40
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:48:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:48:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider tuning the detection rule to exclude MsiExec.exe as a parent when the c...
2026-03-24T13:48:40
FusionSOC
Response action queued: recommended on Consider tuning the detection rule to exclude MsiExec.exe as a parent when the command line targets known-good application installation paths like Google Chrome Remote Desktop.
2026-03-24T13:48:40
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:48:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:48:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 mins...
2026-03-24T13:48:40
FusionSOC
Response action queued: recommended on No action required
2026-03-24T13:48:40
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:48:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:48:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:48:40
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:48:40
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:48:40
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:48:40
FusionSOC AI
Detection a15c0280-ccd3-4f4f-8a5a-6e3f69c19e60 triaged as false_positive (informational severity, confidence: 95%)
2026-03-24T13:48:40
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution