{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Change PowerShell Policies to an Insecure Level",
  "detect": {
    "event": {
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\*.log\u0027",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 5944
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "11c66d4f-1f77-410e-8695-a7b9a0006a54",
      "event_time": 1774296669416,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 117,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "835af718162d05ef712113f669c19e5e"
    }
  },
  "detect_id": "fc571d8d-e9dd-4b08-9986-7a7f69c19e5d",
  "detect_mtd": {
    "author": "frack113",
    "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
    "falsepositives": [
      "Administrator scripts"
    ],
    "level": "medium",
    "references": [
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
      "https://adsecurity.org/?p=2604",
      "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296669543,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296669\u0026selected=835af718162d05ef712113f669c19e5e",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "11c66d4f-1f77-410e-8695-a7b9a0006a54",
    "event_time": 1774296669416,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 117,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "835af718162d05ef712113f669c19e5e"
  },
  "rule_tags": [
    "attack.execution",
    "attack.t1059.001",
    "ext:ext-sigma"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
  "ts": 1774296669000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.943,
  "false_positive_reason": "Software installation or update process (MsiExec) using PowerShell for cleanup.",
  "investigation_questions": [
    "Was there a recent installation or update of Chrome Remote Desktop on this host?"
  ],
  "ioc_analysis": "The binaries involved (powershell.exe and MsiExec.exe) are both signed by Microsoft and located in their respective standard system directories (SysWOW64). The hash of the PowerShell binary is known-good. The command line\u0027s use of \u0027-ExecutionPolicy Bypass\u0027 is common in installer scripts to ensure successful execution regardless of the local policy.",
  "iocs_extracted": [
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\syswow64\\MsiExec.exe",
    "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5"
  ],
  "mitre_techniques": [
    "T1059.001",
    "T1218.007"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelist PowerShell executions by MsiExec.exe that specifically target Chrome Remote Desktop log cleanup if the rule continues to generate noise.",
    "No immediate remediation required on the host."
  ],
  "risk_score": 8,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThis detection is a false positive triggered by a legitimate PowerShell cleanup script executed by the Windows Installer (MsiExec.exe). The script is deleting log files in the \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\u0027 directory, which is standard behavior during a software installation or update process.\n\n**IOC Analysis:** The binaries involved (powershell.exe and MsiExec.exe) are both signed by Microsoft and located in their respective standard system directories (SysWOW64). The hash of the PowerShell binary is known-good. The command line\u0027s use of \u0027-ExecutionPolicy Bypass\u0027 is common in installer scripts to ensure successful execution regardless of the local policy.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive because the process is running from its expected location and is signed by Microsoft. The command line shows a legitimate removal of Chrome Remote Desktop logs, which is consistent with administrative maintenance tasks.\n\n**IOC Analysis:** The PowerShell executable is located at C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is the expected location for this binary. The process is signed (FILE_IS_SIGNED: 1) and has a known Microsoft hash. The command removes log files from Chrome Remote Desktop, which is a common administrative task.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe PowerShell process is legitimate and running from a trusted directory, with a valid Microsoft signature. The command deletes log files from a legitimate application directory, likely part of routine cleanup, and is spawned by a trusted process, indicating a false positive.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good Microsoft binary in the expected directory. The HASH is signed by Microsoft, confirming legitimacy. The COMMAND_LINE involves deleting log files from Google Chrome Remote Desktop, which is a common benign operation for cleanup. The PARENT_PROCESS is MsiExec.exe, a legitimate installer, further supporting benign activity.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 98% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.98,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}