{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Non Interactive PowerShell Process Spawned",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Force Stop-Process -Name remote_webauthn",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 57729024,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 35844,
      "THREADS": 27,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "8983927d-378e-4fd5-bd1d-518a8a248529",
      "event_time": 1774296665572,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -162,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "4a44c56e7ae628a0e4c8da2569c19e5a"
    }
  },
  "detect_id": "0b5bdfd3-d726-4798-880a-69f869c19e59",
  "detect_mtd": {
    "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
    "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
    "falsepositives": [
      "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
    ],
    "level": "low",
    "references": [
      "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296665411,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296665\u0026selected=4a44c56e7ae628a0e4c8da2569c19e5a",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "8983927d-378e-4fd5-bd1d-518a8a248529",
    "event_time": 1774296665572,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -162,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "4a44c56e7ae628a0e4c8da2569c19e5a"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
  "ts": 1774296665000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "Legitimate software installation activity (MSI Custom Action)",
  "investigation_questions": [
    "Was there a recent software installation or Windows update on this host?"
  ],
  "ioc_analysis": "The parent process MsiExec.exe (C:\\Windows\\syswow64\\MsiExec.exe) and child powershell.exe are both signed Microsoft binaries running from their expected System32/SysWOW64 directories. The \u0027remote_webauthn\u0027 component is a legitimate Windows feature used for WebAuthn redirection in remote desktop environments.",
  "iocs_extracted": [
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\syswow64\\MsiExec.exe",
    "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
    "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c"
  ],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelist the specific MsiExec to PowerShell command pattern if recurring frequently",
    "No further action required"
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on a non-interactive PowerShell process spawned by MsiExec.exe (Windows Installer) to stop a process named \u0027remote_webauthn\u0027. This is a standard pattern for software installers or uninstallers performing a cleanup action via a Custom Action during an installation or update session.\n\n**IOC Analysis:** The parent process MsiExec.exe (C:\\Windows\\syswow64\\MsiExec.exe) and child powershell.exe are both signed Microsoft binaries running from their expected System32/SysWOW64 directories. The \u0027remote_webauthn\u0027 component is a legitimate Windows feature used for WebAuthn redirection in remote desktop environments.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process was spawned by Windows Installer (msiexec.exe) running under SYSTEM context, which is consistent with legitimate system maintenance or software installation activities. The command line parameters indicate a policy test scenario rather than malicious execution.\n\n**IOC Analysis:** The PowerShell binary is located in its expected SysWOW64 directory and is Microsoft-signed. The parent process (msiexec.exe) is also a known Windows system binary running from the correct location. The command line arguments (-NoLogo -NonInteractive -ExecutionPolicy Bypass) are commonly used for legitimate administrative tasks like policy testing, not necessarily malicious activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection involves a PowerShell process running from the expected location and signed, invoked by a legitimate MsiExec.exe process. The command-line action to stop the \u0027remote_webauthn\u0027 process is likely part of normal system maintenance or software installation, indicating a false positive.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is in the expected location for PowerShell and is signed, making it a legitimate system binary. The HASH is signed, and the command-line arguments suggest non-interactive execution, which is common for legitimate system tasks. The parent process MsiExec.exe is a legitimate Microsoft installer, supporting benign behavior.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}