{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Non Interactive PowerShell Process Spawned",
  "detect": {
    "event": {
      "COMMAND_LINE": "PowerShell  Get-Module -ListAvailable PowerShellGet ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 40960,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 7880,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "e3c3499a-7b01-46c7-835b-0b28b327e413",
      "event_time": 1774364711607,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2596,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "62828925f1dea4b7228c90ac69c2a829"
    }
  },
  "detect_id": "e87aa7db-7768-4cc8-9593-17b869c2a82a",
  "detect_mtd": {
    "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
    "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
    "falsepositives": [
      "Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies"
    ],
    "level": "low",
    "references": [
      "https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364714207,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364711\u0026selected=62828925f1dea4b7228c90ac69c2a829",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "e3c3499a-7b01-46c7-835b-0b28b327e413",
    "event_time": 1774364711607,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2596,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "62828925f1dea4b7228c90ac69c2a829"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_non_interactive_execution",
  "ts": 1774364714000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.925,
  "false_positive_reason": "PowerShell.exe running from System32 with Microsoft signature executing benign diagnostic command; consistent with historical false positive patterns for this rule type",
  "investigation_questions": [
    "Is there any evidence of PowerShellGet module being used for malicious purposes?",
    "Are there other suspicious processes spawned by this parent PID?"
  ],
  "ioc_analysis": "The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe matches known-good Windows system binary locations. The file hash corresponds to the legitimate Microsoft-signed PowerShell executable, and FILE_IS_SIGNED is true. The command line \u0027Get-Module -ListAvailable PowerShellGet\u0027 is a standard administrative diagnostic command, not indicative of malicious activity.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    },
    {
      "type": "hash",
      "value": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"
    }
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Log this event as a false positive in the SIEM",
    "No immediate action required - allow process to continue",
    "Monitor for any unusual child processes if they appear malicious"
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because PowerShell.exe is running from its expected location in System32, is Microsoft-signed, and is executing a benign diagnostic command (Get-Module). The parent process chain indicates legitimate system activity.\n\n**IOC Analysis:** The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe matches known-good Windows system binary locations. The file hash corresponds to the legitimate Microsoft-signed PowerShell executable, and FILE_IS_SIGNED is true. The command line \u0027Get-Module -ListAvailable PowerShellGet\u0027 is a standard administrative diagnostic command, not indicative of malicious activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a PowerShell process spawn, but it is running from a legitimate System32 location with a signed hash and user SYSTEM, suggesting a false positive due to common administrative tasks.\n\n**IOC Analysis:** FILE_PATH is a known legitimate PowerShell executable in System32, which is expected for system binaries. HASH is Microsoft-signed, indicating it is likely a legitimate binary. The command \u0027PowerShell Get-Module -ListAvailable PowerShellGet\u0027 is a common administrative task for module availability checks and does not inherently indicate malicious activity.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}