โ
Case #552
service.windows_process_creation/proc_creation_win_cmd_dir_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
File And SubFolder Enumeration Via Dir Command
low
Rule: service.windows_process_creation/proc_creation_win_cmd_dir_execution
Hostname: win-91lccq536b4 ยท Sensor: f8e98d83-79d8-4f...
Event Type: NEW_PROCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.032.0217.0003"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\cmd.exe
HASH:
f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3
PARENT:
{'BASE_ADDRESS': 140697881149440, 'COMMAND_LINE': 'C:\\WINDOWS\\Explorer.EXE', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\Explorer.EXE', 'HASH': '6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195', 'MEMORY_USAGE': 34713600, 'PARENT_ATOM': 'b4c888978aa0174f6ca942a969c30db5', 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 1984, 'THIS_ATOM': '95030fcbb1b0f80539943cfe69c30db5', 'THREADS': 11, 'TIMESTAMP': 1774390708232, 'USER_NAME': 'WIN-91LCCQ536B4\\pjhow'}
PARENT_PROCESS_ID:
1984
PROCESS_ID:
8684
IOCs:
C:\Windows\System32\cmd.exe
C:\WINDOWS\Explorer.EXE
C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.032.0217.0003
f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3
MITRE:
T1083
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "File And SubFolder Enumeration Via Dir Command",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\System32\\cmd.exe\" /q /c rmdir /s /q \"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.032.0217.0003\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3",
"PARENT": {
"BASE_ADDRESS": 140697881149440,
"COMMAND_LINE": "C:\\WINDOWS\\Explorer.EXE",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\Explorer.EXE",
"HASH": "6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195",
"MEMORY_USAGE": 34713600,
"PARENT_ATOM": "b4c888978aa0174f6ca942a969c30db5",
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 1984,
"THIS_ATOM": "95030fcbb1b0f80539943cfe69c30db5",
"THREADS": 11,
"TIMESTAMP": 1774390708232,
"USER_NAME": "WIN-91LCCQ536B4\\pjhow"
},
"PARENT_PROCESS_ID": 1984,
"PROCESS_ID": 8684
},
"routing": {
"arch": 2,
"did": "",
"event_id": "1aed3bda-8d0a-4197-a0c4-d48d107fa0d6",
"event_time": 1774390753828,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 2062,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "90b39f0e0cde9f9038265a8d69c30de3"
}
},
"detect_id": "8a546ef2-ab5b-4def-ba23-c10469c30de3",
"detect_mtd": {
"author": "frack113",
"description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"falsepositives": [
"Likely"
],
"level": "low",
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md"
],
"tags": [
"attack.discovery",
"attack.t1217"
]
},
"gen_time": 1774390755892,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/f8e98d83-79d8-4ff7-9fe1-7c507dad89e4/timeline?time=1774390753\u0026selected=90b39f0e0cde9f9038265a8d69c30de3",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "1aed3bda-8d0a-4197-a0c4-d48d107fa0d6",
"event_time": 1774390753828,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 2062,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "90b39f0e0cde9f9038265a8d69c30de3"
},
"rule_tags": [
"ext:ext-sigma",
"attack.discovery",
"attack.t1217"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.f8e98d83-79d8-4ff7-9fe1-7c507dad89e4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_cmd_dir_execution",
"ts": 1774390755000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 1,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate system or application maintenance activity by a signed vendor binary (Microsoft OneDrive)",
"investigation_questions": [
"Was there a OneDrive update or installation event around this time?"
],
"ioc_analysis": "All binaries involved (cmd.exe and Explorer.EXE) are legitimate, signed Microsoft system files located in their expected directories. The target directory \u0027C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\\u0027 is a standard location for OneDrive application data.",
"iocs_extracted": [
"C:\\Windows\\System32\\cmd.exe",
"C:\\WINDOWS\\Explorer.EXE",
"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.032.0217.0003",
"f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3"
],
"mitre_techniques": [
"T1083"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelist known-good OneDrive maintenance paths in the detection rule logic",
"Update rule regex to distinguish between \u0027dir\u0027 (enumeration) and \u0027rmdir\u0027 (deletion)"
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe command line shows a standard directory removal operation executed by cmd.exe to clean up an old Microsoft OneDrive version folder (26.032.0217.0003) in the user\u0027s AppData directory. This is consistent with legitimate application maintenance and updates, and matches several previous false positive judgments for this rule.\n\n**IOC Analysis:** All binaries involved (cmd.exe and Explorer.EXE) are legitimate, signed Microsoft system files located in their expected directories. The target directory \u0027C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\\u0027 is a standard location for OneDrive application data.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because cmd.exe is a legitimate Windows system binary executing from its expected location (System32) with Microsoft digital signature. The command removes OneDrive cache files, which is consistent with normal user activity or legitimate cleanup processes.\n\n**IOC Analysis:** The process cmd.exe is running from C:\\Windows\\System32\\cmd.exe, a known-good Windows system binary location. The file is signed (FILE_IS_SIGNED: 1) and the hash matches Microsoft\u0027s official cmd.exe signature. The command line removes OneDrive cache directories, which is a common legitimate operation for users or maintenance tools.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection involves a legitimate system process, cmd.exe, spawned by Explorer.EXE, attempting to delete a OneDrive-related folder. Given the context and historical false positive feedback, this is likely benign system activity.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\System32\\cmd.exe is a known Windows system binary located in its expected directory, making it legitimate. The hash is signed, indicating it\u0027s likely Microsoft-signed. The command line uses cmd.exe to delete a OneDrive folder, which could be part of normal maintenance or updates, but without additional malicious indicators, it\u0027s considered benign.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (10)
๐ค FusionSOC AI
2026-03-24T23:18
๐ค FusionSOC AI
2026-03-24T23:18
๐ค FusionSOC AI
2026-03-24T23:18
๐ค FusionSOC AI
2026-03-24T22:57
๐ค FusionSOC AI
2026-03-24T22:57
๐ค FusionSOC AI
2026-03-24T22:57
๐ค FusionSOC AI
2026-03-24T22:51
๐ค FusionSOC AI
2026-03-24T22:51
๐ค FusionSOC AI
2026-03-24T22:51
๐ค FusionSOC AI
2026-03-24T22:51
๐ Timeline
2026-03-25T12:57:16
analyst
Status changed: investigating โ closed
2026-03-24T23:18:53
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:18:53
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:18:53
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Update rule regex to distinguish between 'dir' (enumeration) and 'rmdir' (deleti...
2026-03-24T23:18:52
FusionSOC
Response action queued: recommended on Update rule regex to distinguish between 'dir' (enumeration) and 'rmdir' (deletion)
2026-03-24T23:18:52
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:18:52
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:18:52
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist known-good OneDrive maintenance paths in the detection rule logic **Se...
2026-03-24T23:18:52
FusionSOC
Response action queued: recommended on Whitelist known-good OneDrive maintenance paths in the detection rule logic
2026-03-24T23:18:52
FusionSOC AI
Status changed: closed โ investigating
2026-03-24T23:18:52
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:18:52
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:18:52
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:18:52
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:18:51
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T23:14:37
analyst
Status changed: investigating โ closed
2026-03-24T23:14:32
analyst
Analyst classified as False Positive (FP)
2026-03-24T22:57:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:57:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:57:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist versioned directory paths within the OneDrive AppData structure. **Sen...
2026-03-24T22:57:14
FusionSOC
Response action queued: recommended on Whitelist versioned directory paths within the OneDrive AppData structure.
2026-03-24T22:57:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:57:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:57:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Refine the detection rule to avoid matching 'rmdir' as 'dir' execution. **Sensor...
2026-03-24T22:57:13
FusionSOC
Response action queued: recommended on Refine the detection rule to avoid matching 'rmdir' as 'dir' execution.
2026-03-24T22:57:13
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:57:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:57:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T22:57:13
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T22:57:13
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T22:57:13
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T22:51:56
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:51:56
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:51:56
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further investigation is required as this matches established benign behavior...
2026-03-24T22:51:55
FusionSOC
Response action queued: recommended on No further investigation is required as this matches established benign behavior for OneDrive maintenance.
2026-03-24T22:51:55
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:51:55
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:51:55
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the alert as a false positive. **Sensor:** `f8e98d83-79d8-4f...` **Time Wi...
2026-03-24T22:51:55
FusionSOC
Response action queued: recommended on Close the alert as a false positive.
2026-03-24T22:51:55
FusionSOC AI
Status changed: open โ investigating
2026-03-24T22:51:55
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:51:55
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T22:51:55
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T22:51:55
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T22:51:55
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T22:51:54
FusionSOC AI
Detection 8a546ef2-ab5b-4def-ba23-c10469c30de3 triaged as false_positive (low severity, confidence: 95%)
2026-03-24T22:51:54
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_cmd_dir_execution