Case #491 — Agentic Cyber Defense

high closed suspicious

🏷️ Analyst Verdict Classification

SUSPICIOUS by analyst

🤖 AI Analysis

🔔 Detections (1)

Suspicious MsiExec Embedding Parent high

Rule: service.windows_process_creation/proc_creation_win_msiexec_embedding

Hostname: desktop-atsepsk · Sensor: 8f3a47be-5629-4c...

Event Type: NEW_PROCESS

Confidence: 82% · Verdict: suspicious

Event Data:

COMMAND_LINE:

cmd.exe /C /Q C:\Users\JOYHOW~1\AppData\Local\Temp\qbngen.bat

FILE_IS_SIGNED:

FILE_PATH:

C:\Windows\System32\cmd.exe

HASH:

f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3

PARENT:

{'BASE_ADDRESS': 140696016846848, 'COMMAND_LINE': 'C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\MsiExec.exe', 'HASH': '677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e', 'MEMORY_USAGE': 14663680, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 31932, 'THIS_ATOM': '0e2be6b24c56dfa0613f286f69c2a672', 'THREADS': 8, 'TIMESTAMP': 1774364274142, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}

PARENT_PROCESS_ID:

31932

PROCESS_ID:

42616

IOCs: {'type': 'file_path', 'value': 'C:\\Windows\\System32\\cmd.exe'} {'type': 'command_line', 'value': 'cmd.exe /C /Q C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\qbngen.bat'} {'type': 'hash', 'value': 'f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3'}

MITRE: T1059.001 T1059.002 T1560.001

Analyst Declaration:

📄 Raw Detection JSON

{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Suspicious MsiExec Embedding Parent",
  "detect": {
    "event": {
      "COMMAND_LINE": "cmd.exe /C /Q C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\qbngen.bat",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
      "HASH": "f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3",
      "PARENT": {
        "BASE_ADDRESS": 140696016846848,
        "COMMAND_LINE": "C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\MsiExec.exe",
        "HASH": "677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e",
        "MEMORY_USAGE": 14663680,
        "PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
        "PARENT_PROCESS_ID": 38156,
        "PROCESS_ID": 31932,
        "THIS_ATOM": "0e2be6b24c56dfa0613f286f69c2a672",
        "THREADS": 8,
        "TIMESTAMP": 1774364274142,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 31932,
      "PROCESS_ID": 42616
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "477deada-6773-4dab-8aad-cac34beb08b6",
      "event_time": 1774364678338,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 895,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "0e2be6b24c56dfa0613f286f69c2a672",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "c2b040a48b6fe4f4b5c4a89569c2a806"
    }
  },
  "detect_id": "2429d4f9-85fb-487b-9178-e61869c2a807",
  "detect_mtd": {
    "author": "frack113",
    "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads",
    "falsepositives": [
      "Unknown"
    ],
    "level": "medium",
    "references": [
      "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md"
    ],
    "tags": [
      "attack.t1218.007",
      "attack.defense-evasion"
    ]
  },
  "gen_time": 1774364679237,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364678\u0026selected=c2b040a48b6fe4f4b5c4a89569c2a806",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "477deada-6773-4dab-8aad-cac34beb08b6",
    "event_time": 1774364678338,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 895,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "0e2be6b24c56dfa0613f286f69c2a672",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "c2b040a48b6fe4f4b5c4a89569c2a806"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.t1218.007",
    "attack.defense-evasion"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_msiexec_embedding",
  "ts": 1774364679000
}

🌍 Threat Intel JSON

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 1,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

🤖 Triage JSON

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What is the purpose of qbngen.bat?",
    "Has this user executed similar batch files before?",
    "Is there a legitimate application using msiexec with /Embedding flag?"
  ],
  "ioc_analysis": "The parent process (msiexec.exe) is running from its expected location in System32 and is Microsoft-signed, which is benign. However, the child process (cmd.exe) is executing a batch file from the user\u0027s temp directory using the /C flag, which indicates potential script execution. The use of msiexec with /Embedding to spawn cmd.exe is an advanced technique often used for persistence or evasion.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\System32\\cmd.exe"
    },
    {
      "type": "command_line",
      "value": "cmd.exe /C /Q C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\qbngen.bat"
    },
    {
      "type": "hash",
      "value": "f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3"
    }
  ],
  "mitre_techniques": [
    "T1059.001",
    "T1059.002",
    "T1560.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Investigate the batch file qbngen.bat for malicious content",
    "Check user activity and permissions for JOYHOW~1",
    "Review msiexec.exe execution history for similar patterns",
    "Monitor for additional processes spawned by cmd.exe"
  ],
  "risk_score": 42,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.75\nThe detection flags a suspicious process creation where msiexec.exe spawns cmd.exe to execute a batch file from the user\u0027s temp directory. While msiexec is legitimate, the use of /Embedding flag and execution of arbitrary scripts via command line warrants further investigation.\n\n**IOC Analysis:** The parent process (msiexec.exe) is running from its expected location in System32 and is Microsoft-signed, which is benign. However, the child process (cmd.exe) is executing a batch file from the user\u0027s temp directory using the /C flag, which indicates potential script execution. The use of msiexec with /Embedding to spawn cmd.exe is an advanced technique often used for persistence or evasion.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe event involves a legitimate cmd.exe process running from the System32 directory, which is a standard Windows system binary. It is signed by Microsoft and spawned by MsiExec.exe, a legitimate process for software installation. The command line executes a batch file from the temp directory, but this is common for legitimate updates and may not indicate malicious activity.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\System32\\cmd.exe is a known-good Windows system binary located in the expected directory, making it likely benign. HASH: f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3 is a signed Microsoft binary, confirming legitimacy. COMMAND_LINE: cmd.exe /C /Q C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\qbngen.bat points to a temp file, which could be part of legitimate software installation but lacks clear malicious indicators. PARENT_PROCESS_ID: 31932 corresponds to MsiExec.exe, which is a legitimate system component for embedding and installing software.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: suspicious (medium, 75% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.75,
        "model": "qwen3.5:4b",
        "verdict": "suspicious"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}

⚙️ Response Actions

Action	Target	Status	Result
tag	8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated	executed	Tag applied
recommended	Manual analyst review required — AI models (split)	executed	General Activity Sweep: 0 events found
recommended	Investigate the batch file qbngen.bat for malicious content	executed	File Activity Investigation: 0 events found
recommended	Check user activity and permissions for JOYHOW~1	executed	User Activity Investigation: 25 events found
recommended	Review msiexec.exe execution history for similar patterns	executed	General Activity Sweep: 0 events found
recommended	Monitor for additional processes spawned by cmd.exe	executed	Process Tree Investigation: 50 events found

📝 Add Note

💬 Notes (6)

🤖 FusionSOC AI 2026-03-24T15:47

📜 Timeline

2026-03-24T16:05:27

analyst

Status changed: investigating → closed

2026-03-24T16:05:25

analyst

Analyst classified as Suspicious (SUSPICIOUS)

2026-03-24T15:47:31

FusionSOC AI

Status changed: investigating → investigating

2026-03-24T15:47:31

FusionSOC

Action recommended → executed: Process Tree Investigation: 50 events found

2026-03-24T15:47:31

FusionSOC AI

Note by FusionSOC AI: ## 🔍 Process Tree Investigation **Action:** Monitor for additional processes spawned by cmd.exe **Sensor:** `8f3a47be-56...

2026-03-24T15:47:29

FusionSOC

Response action queued: recommended on Monitor for additional processes spawned by cmd.exe

2026-03-24T15:47:29

FusionSOC AI

Status changed: investigating → investigating

2026-03-24T15:47:29

FusionSOC

Action recommended → executed: General Activity Sweep: 0 events found

2026-03-24T15:47:29

FusionSOC AI

Note by FusionSOC AI: ## 🔍 General Activity Sweep **Action:** Review msiexec.exe execution history for similar patterns **Sensor:** `8f3a47be-...

2026-03-24T15:47:29

FusionSOC

Response action queued: recommended on Review msiexec.exe execution history for similar patterns

2026-03-24T15:47:29

FusionSOC AI

Status changed: investigating → investigating

2026-03-24T15:47:29

FusionSOC

Action recommended → executed: User Activity Investigation: 25 events found

2026-03-24T15:47:29

FusionSOC AI

Note by FusionSOC AI: ## 🔍 User Activity Investigation **Action:** Check user activity and permissions for JOYHOW~1 **Sensor:** `8f3a47be-5629...

2026-03-24T15:47:28

FusionSOC

Response action queued: recommended on Check user activity and permissions for JOYHOW~1

2026-03-24T15:47:28

FusionSOC AI

Status changed: investigating → investigating

2026-03-24T15:47:28

FusionSOC

Action recommended → executed: File Activity Investigation: 0 events found

2026-03-24T15:47:28

FusionSOC AI

Note by FusionSOC AI: ## 🔍 File Activity Investigation **Action:** Investigate the batch file qbngen.bat for malicious content **Sensor:** `8f...

2026-03-24T15:47:26

FusionSOC

Response action queued: recommended on Investigate the batch file qbngen.bat for malicious content

2026-03-24T15:47:26

FusionSOC AI

Status changed: open → investigating

2026-03-24T15:47:26

FusionSOC

Action recommended → executed: General Activity Sweep: 0 events found

2026-03-24T15:47:26

FusionSOC AI

Note by FusionSOC AI: ## 🔍 General Activity Sweep **Action:** Manual analyst review required — AI models (split) **Sensor:** `8f3a47be-5629-4c...

2026-03-24T15:47:26

FusionSOC

Response action queued: recommended on Manual analyst review required — AI models (split)

2026-03-24T15:47:26

FusionSOC

Action tag → executed: Tag applied

2026-03-24T15:47:25

FusionSOC

Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated

2026-03-24T15:47:25

FusionSOC AI

Detection 2429d4f9-85fb-487b-9178-e61869c2a807 triaged as suspicious (high severity, confidence: 82%)

2026-03-24T15:47:25

FusionSOC AI

Case created from detection: service.windows_process_creation/proc_creation_win_msiexec_embedding