{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Non Interactive PowerShell Process Spawned",
  "detect": {
    "event": {
      "BASE_ADDRESS": 9764864,
      "COMMAND_LINE": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass Stop-Process -Force -Name remote_assistance_host_uiaccess",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "3bfedaaa40d9e19e45a3ee10c0f14b1750b01619ebb9f39be3865bcfdacdd2e5",
      "MEMORY_USAGE": 39714816,
      "PARENT": {
        "BASE_ADDRESS": 14942208,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 57917046E265CB85396AB79820287388 E Global\\MSI0000",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 13615104,
        "PARENT_ATOM": "23a7a08840c587c857088e4669c19e54",
        "PARENT_PROCESS_ID": 26224,
        "PROCESS_ID": 32732,
        "THIS_ATOM": "0077d031151f6ea2ed35db9269c19e54",
        "THREADS": 7,
        "TIMESTAMP": 1774296660033,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 32732,
      "PROCESS_ID": 24148,
      "THREADS": 18,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "d3189c0b-5ba4-4af1-9751-20f745269a09",
      "event_time": 1774296661418,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": -202,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0077d031151f6ea2ed35db9269c19e54",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_memory",
        "yara_detection_disk"
      ],
      "this": "e129b32c7ceae618e6c1c15b69c19e55"
    }
  },
  "detect_id": "6bb3d96f-cd0c-45e8-964b-352d69c19e55",
  "detect_mtd": {
    "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
    "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
    "falsepositives": [
      "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
    ],
    "level": "low",
    "references": [
      "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774296661216,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774296661\u0026selected=e129b32c7ceae618e6c1c15b69c19e55",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "d3189c0b-5ba4-4af1-9751-20f745269a09",
    "event_time": 1774296661418,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": -202,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0077d031151f6ea2ed35db9269c19e54",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_memory",
      "yara_detection_disk"
    ],
    "this": "e129b32c7ceae618e6c1c15b69c19e55"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
  "ts": 1774296661000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 11,
      "type-unsupported": 4,
      "undetected": 61
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "Legitimate administrative activity (MSI installer cleanup script).",
  "investigation_questions": [
    "Was there a recent software installation or Windows Update on this host?"
  ],
  "ioc_analysis": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a signed Microsoft binary running from its expected system path. The parent process, MsiExec.exe, is also a signed Windows binary and its command line includes the \u0027-Embedding\u0027 flag, which is characteristic of the Windows Installer service executing a legitimate MSI package.",
  "iocs_extracted": [],
  "mitre_techniques": [
    "T1059.001"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "No action required.",
    "Monitor for unusual MsiExec activity if this host is not scheduled for updates."
  ],
  "risk_score": 12,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nNon-interactive PowerShell process spawned by MsiExec.exe to stop a remote assistance component during a system update or software installation. This is a standard administrative cleanup operation performed by the Windows Installer service under NT AUTHORITY\\SYSTEM.\n\n**IOC Analysis:** C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is a signed Microsoft binary running from its expected system path. The parent process, MsiExec.exe, is also a signed Windows binary and its command line includes the \u0027-Embedding\u0027 flag, which is characteristic of the Windows Installer service executing a legitimate MSI package.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the PowerShell process was spawned by MSIExec.exe during a legitimate Windows Update or maintenance operation, executed with standard system privileges (NT AUTHORITY\\SYSTEM), and targeted a known benign executable.\n\n**IOC Analysis:** The process path C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe is the expected location for PowerShell on 64-bit Windows systems. The parent process MSIExec.exe running from SysWOW64 indicates a legitimate Windows Installer operation, likely related to software updates or maintenance tasks. The command line arguments (-NoLogo -NonInteractive -ExecutionPolicy Bypass) are commonly used by system administration tools and update mechanisms.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a non-interactive PowerShell process spawn, but analysis confirms it is likely a false positive. The PowerShell executable is legitimate, signed, and running from its expected location in SysWOW64. The parent process is MsiExec.exe, a known legitimate installer, and the command appears to be part of routine system maintenance.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe, which is a known, legitimate Windows system binary. The HASH is signed by Microsoft, confirming it is a trusted binary. The user context is NT AUTHORITY\\SYSTEM, which is often used by system processes and not necessarily malicious. The parent process, MsiExec.exe, is also legitimate and running from its expected directory, making this spawn contextually benign.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}