โ
Case #466
service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Non Interactive PowerShell Process Spawned
informational
Rule: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 94% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force 'C:\Program Files (x86)\Google\Chrome Remote Desktop\146.0.7680.5\*.log'
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
5944
IOCs:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\syswow64\MsiExec.exe
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c
MITRE:
T1059.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Non Interactive PowerShell Process Spawned",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\*.log\u0027",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 5944
},
"routing": {
"arch": 2,
"did": "",
"event_id": "11c66d4f-1f77-410e-8695-a7b9a0006a54",
"event_time": 1774296669416,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 117,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "835af718162d05ef712113f669c19e5e"
}
},
"detect_id": "1b60f729-4d9e-45ff-a91a-e47a69c19e5d",
"detect_mtd": {
"author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"falsepositives": [
"Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
],
"level": "low",
"references": [
"https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296669540,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296669\u0026selected=835af718162d05ef712113f669c19e5e",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "11c66d4f-1f77-410e-8695-a7b9a0006a54",
"event_time": 1774296669416,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 117,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "835af718162d05ef712113f669c19e5e"
},
"rule_tags": [
"ext:ext-sigma",
"attack.execution",
"attack.t1059.001"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
"ts": 1774296670000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.943,
"false_positive_reason": "Legitimate administrative or maintenance task performed by a trusted system installer.",
"investigation_questions": [
"Was there a scheduled update for Google Chrome Remote Desktop around this time?"
],
"ioc_analysis": "The PowerShell binary (powershell.exe) and the parent process (MsiExec.exe) are both legitimate, Microsoft-signed system binaries located in standard Windows directories. The command line targets a specific application log path in \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\\u0027, which is a known-good location for this software.",
"iocs_extracted": [
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"C:\\Windows\\syswow64\\MsiExec.exe",
"3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c"
],
"mitre_techniques": [
"T1059.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No action required.",
"Consider suppressing this rule for MsiExec spawning PowerShell for maintenance tasks if volume is high."
],
"risk_score": 10,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nPowerShell was invoked by the Windows Installer (MsiExec.exe) to perform routine cleanup of log files for Google Chrome Remote Desktop. This activity is consistent with standard software installation or update procedures where installers purge temporary logs.\n\n**IOC Analysis:** The PowerShell binary (powershell.exe) and the parent process (MsiExec.exe) are both legitimate, Microsoft-signed system binaries located in standard Windows directories. The command line targets a specific application log path in \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\\u0027, which is a known-good location for this software.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process is running from its expected location (SysWOW64), is Microsoft-signed, and is spawned by MSIExec during legitimate Windows Update or maintenance operations. The command targets Google Chrome Remote Desktop logs for cleanup, which is consistent with administrative maintenance tasks.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe matches known-good system binary locations. The file is signed (FILE_IS_SIGNED: 1) and the hash corresponds to a legitimate Microsoft-signed PowerShell executable. The parent process (MsiExec.exe) indicates this was triggered by Windows Installer, likely during maintenance or update operations.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe PowerShell process is running from the expected location in SysWOW64 and is Microsoft-signed, likely part of a legitimate system process or update initiated by MsiExec.exe. The command removes log files, which is common for software maintenance.\n\n**IOC Analysis:** FILE_PATH is located in C:\\Windows\\SysWOW64\\, which is expected for 32-bit Windows binaries, and the process is a known legitimate system component. FILE_IS_SIGNED=1 confirms it is Microsoft-signed, reducing suspicion. The command line targets a specific directory for log cleanup, which aligns with normal software update behavior.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 98% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T13:57
๐ค FusionSOC AI
2026-03-24T13:57
๐ค FusionSOC AI
2026-03-24T13:57
๐ค FusionSOC AI
2026-03-24T13:57
๐ Timeline
2026-03-24T13:58:38
analyst
Status changed: investigating โ closed
2026-03-24T13:58:35
analyst
Analyst classified as False Positive (FP)
2026-03-24T13:57:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:57:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:57:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider suppressing this rule for MsiExec spawning PowerShell for maintenance t...
2026-03-24T13:57:50
FusionSOC
Response action queued: recommended on Consider suppressing this rule for MsiExec spawning PowerShell for maintenance tasks if volume is high.
2026-03-24T13:57:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T13:57:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:57:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 min...
2026-03-24T13:57:50
FusionSOC
Response action queued: recommended on No action required.
2026-03-24T13:57:50
FusionSOC AI
Status changed: open โ investigating
2026-03-24T13:57:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T13:57:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T13:57:49
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T13:57:49
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T13:57:49
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T13:57:49
FusionSOC AI
Detection 1b60f729-4d9e-45ff-a91a-e47a69c19e5d triaged as false_positive (informational severity, confidence: 94%)
2026-03-24T13:57:49
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution