{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Non Interactive PowerShell Process Spawned",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Remove-Item -Force -Recurse \u0027C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\minidumps\u0027",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 24248320,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 39540,
      "THREADS": 14,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "b5502f57-9c08-43c3-b488-c636744e2cf1",
      "event_time": 1774296670223,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -603,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "3a9c5a81adf2cc7a643ffe1f69c19e5e"
    }
  },
  "detect_id": "b981a3f5-973e-4a0f-a45d-7fc469c19e5d",
  "detect_mtd": {
    "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
    "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
    "falsepositives": [
      "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
    ],
    "level": "low",
    "references": [
      "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296669628,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296670\u0026selected=3a9c5a81adf2cc7a643ffe1f69c19e5e",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "b5502f57-9c08-43c3-b488-c636744e2cf1",
    "event_time": 1774296670223,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -603,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "3a9c5a81adf2cc7a643ffe1f69c19e5e"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
  "ts": 1774296669000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": "Legitimate software installation/maintenance by Windows Installer (MsiExec)",
  "investigation_questions": [
    "Is Google Chrome Remote Desktop a sanctioned application in the environment?"
  ],
  "ioc_analysis": "The binaries involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system files located in their expected directories. The command line parameters are non-malicious and specifically target a directory associated with a reputable third-party application.",
  "iocs_extracted": [
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\syswow64\\MsiExec.exe",
    "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\146.0.7680.5\\minidumps",
    "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
    "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c"
  ],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelists or suppressions can be considered for MsiExec spawning PowerShell with this specific command line pattern."
  ],
  "risk_score": 7,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThis detection is a false positive triggered by a legitimate software maintenance task. PowerShell was invoked by the Windows Installer (MsiExec.exe) to clean up minidump files during an update or uninstallation of Google Chrome Remote Desktop.\n\n**IOC Analysis:** The binaries involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system files located in their expected directories. The command line parameters are non-malicious and specifically target a directory associated with a reputable third-party application.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because PowerShell was spawned by MSIExec.exe during a legitimate Windows Update or maintenance operation targeting Chrome Remote Desktop minidumps. The process path and signature are consistent with known Microsoft binaries.\n\n**IOC Analysis:** The PowerShell executable is located in its expected SysWOW64 directory, is signed (FILE_IS_SIGNED: 1), and has a known Microsoft hash. It was invoked by MSIExec.exe running as SYSTEM user to remove minidumps from Chrome Remote Desktop, which is a common maintenance activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nA PowerShell process was spawned by MsiExec.exe with SYSTEM privileges, executing a command to delete files from the Chrome Remote Desktop directory. However, the PowerShell binary is legitimate and signed, and the parent process is a known system component, indicating this is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is the expected location for PowerShell and is Microsoft-signed. The HASH is verified as signed, confirming legitimacy. The COMMAND_LINE involves deleting files, but this could be part of a legitimate system update or maintenance process initiated by the parent MsiExec.exe. The user NT AUTHORITY\\SYSTEM is common for system-level operations, and the parent process being MsiExec.exe (signed and in SysWOW64) supports a benign context.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 100% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}