{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Change PowerShell Policies to an Insecure Level",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remote_assistance_host_uiaccess",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 39714816,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 24148,
      "THREADS": 18,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "d3189c0b-5ba4-4af1-9751-20f745269a09",
      "event_time": 1774296661418,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -202,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "e129b32c7ceae618e6c1c15b69c19e55"
    }
  },
  "detect_id": "d0a574ae-67a0-4ada-8628-886b69c19e55",
  "detect_mtd": {
    "author": "frack113",
    "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
    "falsepositives": [
      "Administrator scripts"
    ],
    "level": "medium",
    "references": [
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
      "https://adsecurity.org/?p=2604",
      "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296661217,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296661\u0026selected=e129b32c7ceae618e6c1c15b69c19e55",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "d3189c0b-5ba4-4af1-9751-20f745269a09",
    "event_time": 1774296661418,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -202,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "e129b32c7ceae618e6c1c15b69c19e55"
  },
  "rule_tags": [
    "attack.execution",
    "attack.t1059.001",
    "ext:ext-sigma"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
  "ts": 1774296661000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "Legitimate software installation or update activity by Windows Installer (MsiExec).",
  "investigation_questions": [
    "Is Chrome Remote Desktop expected to be installed or updated on this host?"
  ],
  "ioc_analysis": "The PowerShell binary is a legitimate, signed Microsoft file located in the standard SysWOW64 directory. The parent process, MsiExec.exe, is also a signed system binary. The command line specifically targets a known legitimate application component (Chrome Remote Desktop) as part of an installation routine.",
  "iocs_extracted": [
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\syswow64\\MsiExec.exe"
  ],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "No action required.",
    "Consider tuning the detection rule to exclude PowerShell processes spawned by MsiExec.exe that perform routine process termination for known legitimate software."
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nPowerShell was invoked by MsiExec.exe (Windows Installer) to stop the \u0027remote_assistance_host_uiaccess\u0027 process, which is a legitimate component of Chrome Remote Desktop. This is standard behavior during software updates or installations to ensure that active processes are terminated before replacing their binaries.\n\n**IOC Analysis:** The PowerShell binary is a legitimate, signed Microsoft file located in the standard SysWOW64 directory. The parent process, MsiExec.exe, is also a signed system binary. The command line specifically targets a known legitimate application component (Chrome Remote Desktop) as part of an installation routine.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive where PowerShell is invoked by MSIExec to test script policies during legitimate Windows maintenance. The process runs from its expected location and is Microsoft-signed.\n\n**IOC Analysis:** The detection flags PowerShell with ExecutionPolicy Bypass, but this is a common behavior when testing policy changes. The parent process (MsiExec.exe) indicates this is part of a Windows Installer operation. The file path is correct for SysWOW64, the hash matches known legitimate binaries, and it is signed by Microsoft.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process creation, but the command only stops a process and does not change PowerShell policies. PowerShell and its parent process (MsiExec.exe) are legitimate Windows components, and the signed hash confirms authenticity. This aligns with historical false positive feedback for the rule.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate PowerShell executable in the expected directory. The HASH is Microsoft-signed, and FILE_IS_SIGNED is 1, indicating a trusted binary. The parent process MsiExec.exe is a legitimate Windows installer. The command line action of stopping a process is common in system maintenance and could be benign, especially invoked by a trusted process.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}