{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Change PowerShell Policies to an Insecure Level",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 143122432,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 3268,
      "THREADS": 33,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
      "event_time": 1774364713278,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3047,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "59a8d473d7fb33057005984369c2a82b"
    }
  },
  "detect_id": "4d77b089-f0b1-4562-99b1-0dc569c2a82c",
  "detect_mtd": {
    "author": "frack113",
    "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
    "falsepositives": [
      "Administrator scripts"
    ],
    "level": "medium",
    "references": [
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
      "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
      "https://adsecurity.org/?p=2604",
      "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364716327,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364713\u0026selected=59a8d473d7fb33057005984369c2a82b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
    "event_time": 1774364713278,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3047,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "59a8d473d7fb33057005984369c2a82b"
  },
  "rule_tags": [
    "attack.execution",
    "attack.t1059.001",
    "ext:ext-sigma"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "authorized_testing",
  "investigation_questions": [
    "Is df-labsdc01 a dedicated sandbox or development host?",
    "Does the organization have a policy for marking authorized testing activity with specific tags or identifiers?"
  ],
  "ioc_analysis": "The binary powershell.exe is a signed Microsoft component running from the expected System32 directory. Although the command line performs insecure actions such as disabling Real-time Monitoring (Set-MpPreference) and setting an Unrestricted execution policy, these are standard operations for the Atomic Red Team framework when simulating adversary behavior in a controlled environment.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1567.003",
    "T1081"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify with the security team if Atomic Red Team testing is currently scheduled for the \u0027df-lab\u0027 environment.",
    "Consider adding a suppression rule for Atomic Red Team activity specifically on designated lab hosts to reduce alert fatigue."
  ],
  "risk_score": 33,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection identifies the execution of the Atomic Red Team (ART) security testing framework on a lab domain controller (df-labsdc01.dflabs.local). The command line explicitly involves downloading the ART installation script from its official GitHub repository and invoking tests for MITRE technique T1567.003 (Exfiltration Over Web Service).\n\n**IOC Analysis:** The binary powershell.exe is a signed Microsoft component running from the expected System32 directory. Although the command line performs insecure actions such as disabling Real-time Monitoring (Set-MpPreference) and setting an Unrestricted execution policy, these are standard operations for the Atomic Red Team framework when simulating adversary behavior in a controlled environment.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event is a false positive because the PowerShell process is running from its legitimate location (System32), is Microsoft-signed, and uses standard system credentials (NT AUTHORITY\\SYSTEM). The command line contains benign administrative commands including policy setting and package provider installation.\n\n**IOC Analysis:** The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe matches known-good Windows system binary locations. The file is signed (FILE_IS_SIGNED: 1) with a valid Microsoft hash. While the command line includes IEX and Invoke-AtomicTest, these are legitimate administrative operations when executed by SYSTEM in System32.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.85\nThe detection event involves a PowerShell process running as SYSTEM with a suspicious command line that modifies execution policies to unrestricted, changes security protocols, disables real-time monitoring, and downloads malicious scripts. This behavior is highly indicative of an attempt to compromise system security.\n\n**IOC Analysis:** The FILE_PATH is legitimate (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe), but the command line includes malicious actions like setting execution policy to unrestricted, downloading and executing scripts from GitHub, and disabling security monitoring. The HASH is for a Microsoft-signed PowerShell, but the context suggests abuse. The PARENT_PROCESS_ID indicates a cmd.exe from a temporary file, which is suspicious.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 100% confidence)",
      "qwen3.5:4b: false_positive (informational, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 85% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.85,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}