โ
Case #465
service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Change PowerShell Policies to an Insecure Level
low
Rule: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 92% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force -Recurse 'C:\Program Files (x86)\Google\Chrome Remote Desktop\146.0.7680.5\minidumps'
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
24248320
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
39540
THREADS:
14
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'}
{'type': 'hash', 'value': '3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5'}
{'type': 'command_line', 'value': "-NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force -Recurse 'C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\minidumps'"}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Change PowerShell Policies to an Insecure Level",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force -Recurse \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\minidumps\u0027",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 24248320,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 39540,
"THREADS": 14,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "b5502f57-9c08-43c3-b488-c636744e2cf1",
"event_time": 1774296670223,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -603,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "3a9c5a81adf2cc7a643ffe1f69c19e5e"
}
},
"detect_id": "3aa8f3f5-e10c-4138-bf50-3f5369c19e5d",
"detect_mtd": {
"author": "frack113",
"description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"falsepositives": [
"Administrator scripts"
],
"level": "medium",
"references": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
"https://adsecurity.org/?p=2604",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296669623,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296670\u0026selected=3a9c5a81adf2cc7a643ffe1f69c19e5e",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "b5502f57-9c08-43c3-b488-c636744e2cf1",
"event_time": 1774296670223,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -603,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "3a9c5a81adf2cc7a643ffe1f69c19e5e"
},
"rule_tags": [
"attack.execution",
"attack.t1059.001",
"ext:ext-sigma"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
"ts": 1774296671000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": "PowerShell is running from its expected location, is signed by Microsoft, and is being invoked by MsiExec.exe under SYSTEM context to perform legitimate file cleanup of Chrome Remote Desktop minidumps. Historical analyst feedback consistently marks similar detections as false positives.",
"investigation_questions": [
"What triggered this PowerShell execution?",
"Is there a scheduled task or service running this cleanup?"
],
"ioc_analysis": "The PowerShell executable is located in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is the expected location for this binary. It is signed (FILE_IS_SIGNED: 1) and running under NT AUTHORITY\\SYSTEM, indicating it was likely invoked by a legitimate administrative process (MsiExec.exe). The command removes minidumps from Chrome Remote Desktop, which is a common maintenance task.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
},
{
"type": "hash",
"value": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5"
},
{
"type": "command_line",
"value": "-NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force -Recurse \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\minidumps\u0027"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Verify the parent process chain to confirm legitimate administrative context",
"Monitor for similar PowerShell invocations from other trusted sources",
"No immediate action required"
],
"risk_score": 12,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the process is running as NT AUTHORITY\\SYSTEM from its expected location (SysWOW64) and is signed by Microsoft. The action targets minidumps from Chrome Remote Desktop, which is a legitimate administrative cleanup task.\n\n**IOC Analysis:** The PowerShell executable is located in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is the expected location for this binary. It is signed (FILE_IS_SIGNED: 1) and running under NT AUTHORITY\\SYSTEM, indicating it was likely invoked by a legitimate administrative process (MsiExec.exe). The command removes minidumps from Chrome Remote Desktop, which is a common maintenance task.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process running from a legitimate system location and signed by Microsoft. It was spawned by MsiExec.exe, which is commonly used for software installations, and the command appears to be removing files related to Google Chrome Remote Desktop, likely part of a routine update or cleanup. Given the historical context of false positives for this rule, the event is likely benign.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is a legitimate Windows system binary located in the expected directory. The HASH is for a signed Microsoft binary, and the FILE_IS_SIGNED is 1, indicating authenticity. The COMMAND_LINE involves file removal, which could be part of legitimate system maintenance or software updates. The user context (NT AUTHORITY\\SYSTEM) and parent process (MsiExec.exe) suggest this is likely a scheduled task or automated process, not malicious activity.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T13:56
๐ค FusionSOC AI
2026-03-24T13:56
๐ค FusionSOC AI
2026-03-24T13:56
๐ค FusionSOC AI
2026-03-24T13:56
๐ค FusionSOC AI
2026-03-24T13:56
๐ Timeline
2026-03-24T13:58:53
analyst
Status changed: investigating โ closed
2026-03-24T13:58:48
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:56:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:56:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:56:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No immediate action required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** ...
2026-03-24T13:56:16
FusionSOC
Response action queued: recommended on No immediate action required
2026-03-24T13:56:16
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:56:16
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:56:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Monitor for similar PowerShell invocations from other trusted sources **Sensor:*...
2026-03-24T13:56:16
FusionSOC
Response action queued: recommended on Monitor for similar PowerShell invocations from other trusted sources
2026-03-24T13:56:16
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:56:16
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T13:56:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify the parent process chain to confirm legitimate administrative context...
2026-03-24T13:56:15
FusionSOC
Response action queued: recommended on Verify the parent process chain to confirm legitimate administrative context
2026-03-24T13:56:15
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:56:15
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:56:15
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:56:15
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:56:15
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:56:15
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:56:15
FusionSOC AI
Detection 3aa8f3f5-e10c-4138-bf50-3f5369c19e5d triaged as false_positive (low severity, confidence: 92%)
2026-03-24T13:56:15
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level