โ
Case #463
service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Non Interactive PowerShell Process Spawned
low
Rule: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass (Get-Item 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion').Delete()
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
49205248
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
35828
THREADS:
25
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\syswow64\MsiExec.exe
C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion
MITRE:
T1059.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Non Interactive PowerShell Process Spawned",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass (Get-Item \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion\u0027).Delete()",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 49205248,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 35828,
"THREADS": 25,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "9fa51a59-54b7-4b2c-ab6c-a324ebcbe294",
"event_time": 1774296670971,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -284,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "9518d3fccae24725ea4e9dde69c19e5f"
}
},
"detect_id": "bdf3fbdf-b43b-4ce8-9e21-e07969c19e5e",
"detect_mtd": {
"author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"falsepositives": [
"Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
],
"level": "low",
"references": [
"https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296670749,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296670\u0026selected=9518d3fccae24725ea4e9dde69c19e5f",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "9fa51a59-54b7-4b2c-ab6c-a324ebcbe294",
"event_time": 1774296670971,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -284,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "9518d3fccae24725ea4e9dde69c19e5f"
},
"rule_tags": [
"ext:ext-sigma",
"attack.execution",
"attack.t1059.001"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
"ts": 1774296671000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate software maintenance via Windows Installer (MsiExec)",
"investigation_questions": [
"Is Chrome Remote Desktop being updated or uninstalled on this host?"
],
"ioc_analysis": "The process powershell.exe and its parent MsiExec.exe are both signed binaries running from their standard Windows system directories (SysWOW64). The target file path in Program Files (x86) is a known-good location for Chrome Remote Desktop.",
"iocs_extracted": [
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"C:\\Windows\\syswow64\\MsiExec.exe",
"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion"
],
"mitre_techniques": [
"T1059.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required",
"Consider adding an exclusion for MsiExec spawning PowerShell to clean up Chrome Remote Desktop directories to reduce noise."
],
"risk_score": 13,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive triggered by a legitimate Windows Installer (MsiExec) process performing maintenance on Google Chrome Remote Desktop. The PowerShell command is used to delete a directory during an installation or update, which is standard behavior for MsiExec when running as SYSTEM.\n\n**IOC Analysis:** The process powershell.exe and its parent MsiExec.exe are both signed binaries running from their standard Windows system directories (SysWOW64). The target file path in Program Files (x86) is a known-good location for Chrome Remote Desktop.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process was spawned by Microsoft Installer (msiexec.exe) running under SYSTEM context to perform legitimate system maintenance or software installation tasks. The command line indicates deletion of a Google Chrome Remote Desktop file, which is consistent with normal application behavior.\n\n**IOC Analysis:** The PowerShell executable is located in its expected Windows directory (SysWOW64), is Microsoft-signed (FILE_IS_SIGNED: 1), and has a known-good hash. The parent process msiexec.exe is also legitimate and running from System32. The command deletes a file associated with Google Chrome Remote Desktop, which is not inherently malicious.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a PowerShell process spawn, but it was initiated by MsiExec.exe, a legitimate system process, and the command appears to be part of a normal uninstallation routine for Chrome Remote Desktop. Given the benign context and historical false positive data, this is likely not malicious.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate Microsoft binary location. The HASH is Microsoft-signed, confirming its authenticity. The command line action targets a known legitimate application directory, suggesting it\u0027s part of a standard process uninstallation, not malicious activity.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T13:49
๐ค FusionSOC AI
2026-03-24T13:49
๐ค FusionSOC AI
2026-03-24T13:49
๐ค FusionSOC AI
2026-03-24T13:49
๐ Timeline
2026-03-24T13:58:53
analyst
Status changed: investigating โ closed
2026-03-24T13:58:48
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:49:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:49:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:49:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider adding an exclusion for MsiExec spawning PowerShell to clean up Chrome ...
2026-03-24T13:49:30
FusionSOC
Response action queued: recommended on Consider adding an exclusion for MsiExec spawning PowerShell to clean up Chrome Remote Desktop directories to reduce noise.
2026-03-24T13:49:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:49:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:49:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 mins...
2026-03-24T13:49:29
FusionSOC
Response action queued: recommended on No action required
2026-03-24T13:49:29
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:49:29
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:49:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:49:29
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:49:29
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:49:29
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:49:29
FusionSOC AI
Detection bdf3fbdf-b43b-4ce8-9e21-e07969c19e5e triaged as false_positive (low severity, confidence: 93%)
2026-03-24T13:49:29
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution