{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Non Interactive PowerShell Process Spawned",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remoting_native_messaging_host",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 15335424,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 43776,
      "THREADS": 6,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "e259ebdf-87e0-4f78-80b0-5474e91c2eec",
      "event_time": 1774296667146,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -667,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "16337cce8c5b333e4063c72769c19e5b"
    }
  },
  "detect_id": "4671d10c-a9e2-4420-8767-4cde69c19e5a",
  "detect_mtd": {
    "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
    "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
    "falsepositives": [
      "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
    ],
    "level": "low",
    "references": [
      "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296666479,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296667\u0026selected=16337cce8c5b333e4063c72769c19e5b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "e259ebdf-87e0-4f78-80b0-5474e91c2eec",
    "event_time": 1774296667146,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -667,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "16337cce8c5b333e4063c72769c19e5b"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
  "ts": 1774296666000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.943,
  "false_positive_reason": "Legitimate software maintenance via Windows Installer (MSI)",
  "investigation_questions": [
    "Was there a corresponding \u0027MsiInstaller\u0027 event (Event ID 1040/1042) in the Application log at the time of execution?",
    "Is this host part of an environment where Chrome Remote Desktop is managed and updated automatically?"
  ],
  "ioc_analysis": "All binaries involved (powershell.exe, msiexec.exe) are Microsoft-signed and located in the correct SysWOW64 directory. The targeted process \u0027remoting_native_messaging_host\u0027 is a known component of Chrome Remote Desktop, and the command-line flags (-NonInteractive, -ExecutionPolicy Bypass) are standard for automated maintenance scripts.",
  "iocs_extracted": [
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\syswow64\\MsiExec.exe",
    "remoting_native_messaging_host"
  ],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Tune the detection rule to exclude PowerShell instances spawned by MsiExec.exe for targeted process termination",
    "Confirm the presence of legitimate Google Chrome Remote Desktop installation on the host"
  ],
  "risk_score": 8,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection triggered on a non-interactive PowerShell process spawned by MsiExec (Windows Installer) to stop the \u0027remoting_native_messaging_host\u0027 process. This is a standard procedure for legitimate Chrome Remote Desktop software updates or uninstalls to terminate active components before modification.\n\n**IOC Analysis:** All binaries involved (powershell.exe, msiexec.exe) are Microsoft-signed and located in the correct SysWOW64 directory. The targeted process \u0027remoting_native_messaging_host\u0027 is a known component of Chrome Remote Desktop, and the command-line flags (-NonInteractive, -ExecutionPolicy Bypass) are standard for automated maintenance scripts.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process was spawned by MSIExec.exe during a legitimate Windows Installer operation under SYSTEM privileges. The command line arguments indicate a standard remote messaging host invocation rather than malicious activity.\n\n**IOC Analysis:** The process path (C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe) is the expected location for PowerShell on 64-bit Windows systems. The parent process (MsiExec.exe) is a legitimate Windows Installer executable running from its expected directory. The command line arguments (-NoLogo -NonInteractive -ExecutionPolicy Bypass Stop-Process -Force -Name remoting_native_messaging_host) are consistent with Microsoft\u0027s remote messaging infrastructure used during MSI installations.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe event involves a PowerShell process spawned by MsiExec.exe, a legitimate system tool, running as the SYSTEM user. The command line attempts to stop a process, but the context suggests it is likely part of normal system operations.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate Microsoft binary located in its expected directory. The HASH is signed by Microsoft, indicating it is a trusted binary. The user NT AUTHORITY\\SYSTEM is a system account often used for benign system tasks, and the parent process MsiExec.exe is also legitimate and signed, supporting a false positive scenario.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 98% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.98,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}