โ
Case #464
service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Change PowerShell Policies to an Insecure Level
low
Rule: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 92% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass (Get-Item 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion').Delete()
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
49205248
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
35828
THREADS:
25
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'}
{'type': 'hash', 'value': '3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5'}
MITRE:
T1560.001
T1059.004
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Change PowerShell Policies to an Insecure Level",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass (Get-Item \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\CurrentVersion\u0027).Delete()",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 49205248,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 35828,
"THREADS": 25,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "9fa51a59-54b7-4b2c-ab6c-a324ebcbe294",
"event_time": 1774296670971,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -284,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "9518d3fccae24725ea4e9dde69c19e5f"
}
},
"detect_id": "53c6686a-9df1-4010-a598-dbeb69c19e5e",
"detect_mtd": {
"author": "frack113",
"description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"falsepositives": [
"Administrator scripts"
],
"level": "medium",
"references": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
"https://adsecurity.org/?p=2604",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296670691,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296670\u0026selected=9518d3fccae24725ea4e9dde69c19e5f",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "9fa51a59-54b7-4b2c-ab6c-a324ebcbe294",
"event_time": 1774296670971,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -284,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "9518d3fccae24725ea4e9dde69c19e5f"
},
"rule_tags": [
"attack.execution",
"attack.t1059.001",
"ext:ext-sigma"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
"ts": 1774296671000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": "PowerShell is running from its expected location with Microsoft signature, and the action (deleting a Chrome Remote Desktop file) is consistent with administrative maintenance tasks. The ExecutionPolicy Bypass flag is commonly used by administrators for testing or when policies prevent execution.",
"investigation_questions": [
"What triggered this PowerShell execution?",
"Is there a legitimate service or user account that initiated this command?",
"Has Chrome Remote Desktop been configured to allow file deletion?"
],
"ioc_analysis": "The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is the legitimate Windows PowerShell installation. The hash matches known Microsoft-signed binaries. The ExecutionPolicy Bypass flag is often used by administrators for testing or maintenance tasks, especially when running under SYSTEM context.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
},
{
"type": "hash",
"value": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5"
}
],
"mitre_techniques": [
"T1560.001",
"T1059.004"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Review the parent process context to confirm administrative intent",
"Verify if this is part of a scheduled maintenance task",
"Monitor for subsequent suspicious activity from this process"
],
"risk_score": 12,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive because the process is running from its expected location and is signed by Microsoft. The command attempts to delete a Chrome Remote Desktop file using PowerShell, which is a common administrative task.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is the legitimate Windows PowerShell installation. The hash matches known Microsoft-signed binaries. The ExecutionPolicy Bypass flag is often used by administrators for testing or maintenance tasks, especially when running under SYSTEM context.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves PowerShell.exe running from its expected location and signed, with a command line deleting a file from Chrome Remote Desktop. Given the benign context, legitimate parent process, and historical false positive feedback, this is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows PowerShell binary in the SysWOW64 directory, the HASH is Microsoft-signed, and the FILE_IS_SIGNED is 1, indicating a trusted source. The command line appears to be part of a legitimate update or maintenance process for Chrome Remote Desktop, despite running as SYSTEM, which is common for system-level tasks.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T13:52
๐ค FusionSOC AI
2026-03-24T13:52
๐ค FusionSOC AI
2026-03-24T13:52
๐ค FusionSOC AI
2026-03-24T13:52
๐ค FusionSOC AI
2026-03-24T13:52
๐ Timeline
2026-03-24T13:58:53
analyst
Status changed: investigating โ closed
2026-03-24T13:58:48
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:52:53
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:52:53
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T13:52:53
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for subsequent suspicious activity from this process **Sensor:** `8f...
2026-03-24T13:52:53
FusionSOC
Response action queued: recommended on Monitor for subsequent suspicious activity from this process
2026-03-24T13:52:53
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:52:53
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:52:53
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify if this is part of a scheduled maintenance task **Sensor:** `8f3a47be-562...
2026-03-24T13:52:53
FusionSOC
Response action queued: recommended on Verify if this is part of a scheduled maintenance task
2026-03-24T13:52:53
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:52:53
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T13:52:53
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Review the parent process context to confirm administrative intent **Sensor:...
2026-03-24T13:52:52
FusionSOC
Response action queued: recommended on Review the parent process context to confirm administrative intent
2026-03-24T13:52:52
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:52:52
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:52:52
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:52:52
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:52:52
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:52:51
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:52:51
FusionSOC AI
Detection 53c6686a-9df1-4010-a598-dbeb69c19e5e triaged as false_positive (low severity, confidence: 92%)
2026-03-24T13:52:51
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level