{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Change PowerShell Policies to an Insecure Level",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remoting_native_messaging_host",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 15335424,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 43776,
      "THREADS": 6,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "e259ebdf-87e0-4f78-80b0-5474e91c2eec",
      "event_time": 1774296667146,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -667,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "16337cce8c5b333e4063c72769c19e5b"
    }
  },
  "detect_id": "f2ac1102-7fb1-4535-8011-58ab69c19e5a",
  "detect_mtd": {
    "author": "frack113",
    "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
    "falsepositives": [
      "Administrator scripts"
    ],
    "level": "medium",
    "references": [
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
      "https://adsecurity.org/?p=2604",
      "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296666478,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296667\u0026selected=16337cce8c5b333e4063c72769c19e5b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "e259ebdf-87e0-4f78-80b0-5474e91c2eec",
    "event_time": 1774296667146,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -667,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "16337cce8c5b333e4063c72769c19e5b"
  },
  "rule_tags": [
    "attack.execution",
    "attack.t1059.001",
    "ext:ext-sigma"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
  "ts": 1774296666000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.917,
  "false_positive_reason": "Legitimate software installation/update via Windows Installer (MsiExec) using PowerShell for service management.",
  "investigation_questions": [
    "Is there any recent software update activity for Chrome or Google products on this host?"
  ],
  "ioc_analysis": "The powershell.exe binary (3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5) and the parent MsiExec.exe (34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c) are both legitimate, Microsoft-signed system binaries. The command line is specific to managing a known legitimate service (remoting_native_messaging_host).",
  "iocs_extracted": [
    "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
    "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c"
  ],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "No further action required",
    "Whitelist this specific MsiExec to PowerShell pattern if it occurs frequently during routine updates"
  ],
  "risk_score": 8,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on a legitimate administrative action where MsiExec.exe (Windows Installer) utilized PowerShell to stop the \u0027remoting_native_messaging_host\u0027 process, likely as part of a software update or uninstallation for Google Chrome or Chrome Remote Desktop. The use of \u0027-ExecutionPolicy Bypass\u0027 is a common practice for automated installers to ensure script execution regardless of the local policy.\n\n**IOC Analysis:** The powershell.exe binary (3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5) and the parent MsiExec.exe (34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c) are both legitimate, Microsoft-signed system binaries. The command line is specific to managing a known legitimate service (remoting_native_messaging_host).\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThis detection is a false positive because the process tree shows Microsoft Installer (msiexec.exe) launching PowerShell to test script policy settings, which is a legitimate Windows maintenance activity.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good system location. The command line shows -ExecutionPolicy Bypass used by MSI to test script policies during installation, which is documented Microsoft behavior. The parent process msiexec.exe confirms this is part of the Windows Installer service.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process invoked by a legitimate MsiExec.exe process running under the SYSTEM account. The command stops a specific process, which is likely part of system maintenance or an update, and all IOCs are from expected locations and signed, indicating a false positive.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a known legitimate Microsoft binary in the expected directory. The HASH is signed, confirming it\u0027s a Microsoft-signed binary. The PARENT_PROCESS is MsiExec.exe, which is a legitimate system binary for MSI installations. The command does not explicitly change PowerShell policies but may be part of a routine system process, aligning with false positive scenarios like system maintenance.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 90% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}