โ
Case #471
service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Change PowerShell Policies to an Insecure Level
low
Rule: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 92% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Force Stop-Process -Name remote_webauthn
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
57729024
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
35844
THREADS:
27
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\syswow64\MsiExec.exe
remote_webauthn
MITRE:
T1059.001
T1562.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Change PowerShell Policies to an Insecure Level",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Force Stop-Process -Name remote_webauthn",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 57729024,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 35844,
"THREADS": 27,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "8983927d-378e-4fd5-bd1d-518a8a248529",
"event_time": 1774296665572,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -162,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "4a44c56e7ae628a0e4c8da2569c19e5a"
}
},
"detect_id": "7023e176-d25b-45a0-8fec-a9e369c19e59",
"detect_mtd": {
"author": "frack113",
"description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"falsepositives": [
"Administrator scripts"
],
"level": "medium",
"references": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
"https://adsecurity.org/?p=2604",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296665411,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296665\u0026selected=4a44c56e7ae628a0e4c8da2569c19e5a",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "8983927d-378e-4fd5-bd1d-518a8a248529",
"event_time": 1774296665572,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -162,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "4a44c56e7ae628a0e4c8da2569c19e5a"
},
"rule_tags": [
"attack.execution",
"attack.t1059.001",
"ext:ext-sigma"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
"ts": 1774296665000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.917,
"false_positive_reason": "legitimate_software_update",
"investigation_questions": [
"Was a Chrome Remote Desktop update or install scheduled on this host?"
],
"ioc_analysis": "The process \u0027powershell.exe\u0027 and its parent \u0027MsiExec.exe\u0027 are both legitimate Microsoft-signed binaries running from expected system directories. The command line \u0027-ExecutionPolicy Bypass\u0027 is a standard installer technique to ensure script execution, and \u0027remote_webauthn\u0027 is a known-good component of Google Chrome Remote Desktop.",
"iocs_extracted": [
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"C:\\Windows\\syswow64\\MsiExec.exe",
"remote_webauthn"
],
"mitre_techniques": [
"T1059.001",
"T1562.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelists known-good installers using PowerShell with execution policy bypass in this context.",
"No further investigation required."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on a PowerShell execution policy bypass used by the Windows Installer (MsiExec.exe) to stop the \u0027remote_webauthn\u0027 process, which is a legitimate component of Chrome Remote Desktop. This is a common pattern during software updates or uninstalls where an installer script gracefully terminates associated processes before modification.\n\n**IOC Analysis:** The process \u0027powershell.exe\u0027 and its parent \u0027MsiExec.exe\u0027 are both legitimate Microsoft-signed binaries running from expected system directories. The command line \u0027-ExecutionPolicy Bypass\u0027 is a standard installer technique to ensure script execution, and \u0027remote_webauthn\u0027 is a known-good component of Google Chrome Remote Desktop.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThis detection is a false positive because the process tree shows legitimate Microsoft-signed binaries executing scheduled maintenance tasks under SYSTEM context. The PowerShell execution policy bypass is part of a standard Windows Update or SCCM management operation.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is the expected location for legitimate PowerShell. The parent process MsiExec.exe running under SYSTEM context indicates this is likely a scheduled task executing MSI-based maintenance or policy updates. The execution policy bypass is commonly used by legitimate management tools during automated deployments.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process created by a legitimate MsiExec.exe process, running from a standard system location and signed. The command-line does not indicate malicious activity, and historical feedback confirms false positives for this rule.\n\n**IOC Analysis:** The FILE_PATH is in the expected location for PowerShell.exe and is signed. The parent process, MsiExec.exe, is a legitimate system binary. The command-line arguments do not show policy changes or malicious intent, and the high-privilege user context (SYSTEM) can be legitimate for system tasks.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T14:04
๐ค FusionSOC AI
2026-03-24T14:04
๐ค FusionSOC AI
2026-03-24T14:04
๐ค FusionSOC AI
2026-03-24T14:04
๐ Timeline
2026-03-24T14:51:53
analyst
Status changed: investigating โ closed
2026-03-24T14:51:50
analyst
Analyst classified as False Positive (FP)
2026-03-24T14:04:33
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T14:04:33
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:04:33
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further investigation required. **Sensor:** `8f3a47be-5629-4c...` **Time Wind...
2026-03-24T14:04:33
FusionSOC
Response action queued: recommended on No further investigation required.
2026-03-24T14:04:33
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T14:04:33
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:04:33
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelists known-good installers using PowerShell with execution policy bypass i...
2026-03-24T14:04:33
FusionSOC
Response action queued: recommended on Whitelists known-good installers using PowerShell with execution policy bypass in this context.
2026-03-24T14:04:33
FusionSOC AI
Status changed: open โ investigating
2026-03-24T14:04:33
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:04:32
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T14:04:32
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T14:04:32
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T14:04:32
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T14:04:32
FusionSOC AI
Detection 7023e176-d25b-45a0-8fec-a9e369c19e59 triaged as false_positive (low severity, confidence: 92%)
2026-03-24T14:04:32
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level