โ
Case #474
service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Non Interactive PowerShell Process Spawned
low
Rule: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9764864
COMMAND_LINE:
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remote_assistance_host
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
HASH:
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
MEMORY_USAGE:
59965440
PARENT:
{'BASE_ADDRESS': 14942208, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 13615104, 'PARENT_ATOM': '23a7a08840c587c857088e4669c19e54', 'PARENT_PROCESS_ID': 26224, 'PROCESS_ID': 32732, 'THIS_ATOM': '0077d031151f6ea2ed35db9269c19e54', 'THREADS': 7, 'TIMESTAMP': 1774296660033, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
32732
PROCESS_ID:
34160
THREADS:
29
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\syswow64\MsiExec.exe
3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5
34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c
MITRE:
T1059.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Non Interactive PowerShell Process Spawned",
"detect": {
"event": {
"BASE_ADDRESS": 9764864,
"COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remote_assistance_host",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"MEMORY_USAGE": 59965440,
"PARENT": {
"BASE_ADDRESS": 14942208,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 13615104,
"PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
"PARENT_PROCESS_ID": 26224,
"PROCESS_ID": 32732,
"THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
"THREADS": 7,
"TIMESTAMP": 1774296660033,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 32732,
"PROCESS_ID": 34160,
"THREADS": 29,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "e1be7f6f-bac6-413c-8dbb-bfba4debce2d",
"event_time": 1774296664381,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -21,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "b7ca4317d96e19fed92e030469c19e59"
}
},
"detect_id": "1db2d577-f4dc-4f68-8805-74c769c19e58",
"detect_mtd": {
"author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"falsepositives": [
"Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
],
"level": "low",
"references": [
"https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
],
"tags": [
"attack.execution",
"attack.t1059.001"
]
},
"gen_time": 1774296664361,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296664\u0026selected=b7ca4317d96e19fed92e030469c19e59",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "e1be7f6f-bac6-413c-8dbb-bfba4debce2d",
"event_time": 1774296664381,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": -21,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0077d031151f6ea2ed35db9269c19e54",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory",
"yara_detection_disk"
],
"this": "b7ca4317d96e19fed92e030469c19e59"
},
"rule_tags": [
"ext:ext-sigma",
"attack.execution",
"attack.t1059.001"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
"ts": 1774296664000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 11,
"type-unsupported": 4,
"undetected": 61
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate software installation/update activity using signed system binaries.",
"investigation_questions": [
"Is Chrome Remote Desktop being updated or uninstalled on this host?"
],
"ioc_analysis": "All binaries involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system files located in their expected directories. The command line is a benign administrative command used for process management during a software installation lifecycle.",
"iocs_extracted": [
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"C:\\Windows\\syswow64\\MsiExec.exe",
"3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
"34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c"
],
"mitre_techniques": [
"T1059.001"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close this alert as a false positive.",
"Whitelist this specific command line pattern if associated with legitimate MsiExec operations."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on a legitimate administrative action where the Windows Installer (MsiExec.exe) invoked PowerShell to stop the \u0027remote_assistance_host\u0027 process, which is a component of Chrome Remote Desktop. This is a standard procedure during software updates or uninstalls to ensure files are not in use.\n\n**IOC Analysis:** All binaries involved (powershell.exe and MsiExec.exe) are legitimate, Microsoft-signed system files located in their expected directories. The command line is a benign administrative command used for process management during a software installation lifecycle.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process was spawned by Windows Installer (msiexec.exe) running as SYSTEM user to test script policy, which is a legitimate administrative task.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good system location. The parent process msiexec.exe is a legitimate Windows Installer binary. The command line shows -NoProfile and ExecutionPolicy Bypass which are common for administrative testing, not malicious behavior.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process spawned by MsiExec.exe, running as NT AUTHORITY\\SYSTEM with a non-interactive command to stop a process. Given the legitimate file path, signed binary, and common false positive scenarios, this is likely benign system maintenance.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is the expected location for a legitimate PowerShell binary. The HASH is for a Microsoft-signed binary, and FILE_IS_SIGNED is 1, confirming authenticity. The command-line arguments target a process named \u0027remote_assistance_host\u0027, which could be part of system updates or maintenance, but the context of spawning from MsiExec.exe (a legitimate installer) supports a benign interpretation.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T14:11
๐ค FusionSOC AI
2026-03-24T14:11
๐ค FusionSOC AI
2026-03-24T14:11
๐ค FusionSOC AI
2026-03-24T14:11
๐ Timeline
2026-03-24T14:52:23
analyst
Status changed: investigating โ closed
2026-03-24T14:52:21
analyst
Analyst classified as False Positive (FP)
2026-03-24T14:11:48
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T14:11:48
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:11:48
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist this specific command line pattern if associated with legitimate MsiEx...
2026-03-24T14:11:48
FusionSOC
Response action queued: recommended on Whitelist this specific command line pattern if associated with legitimate MsiExec operations.
2026-03-24T14:11:48
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T14:11:48
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:11:48
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive. **Sensor:** `8f3a47be-5629-4c...` **Time W...
2026-03-24T14:11:48
FusionSOC
Response action queued: recommended on Close this alert as a false positive.
2026-03-24T14:11:48
FusionSOC AI
Status changed: open โ investigating
2026-03-24T14:11:48
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T14:11:48
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T14:11:48
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T14:11:48
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T14:11:48
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T14:11:48
FusionSOC AI
Detection 1db2d577-f4dc-4f68-8805-74c769c19e58 triaged as false_positive (low severity, confidence: 95%)
2026-03-24T14:11:48
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution