โ
Case #553
service.windows_process_creation/proc_creation_win_cmd_dir_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
File And SubFolder Enumeration Via Dir Command
low
Rule: service.windows_process_creation/proc_creation_win_cmd_dir_execution
Hostname: win-91lccq536b4 ยท Sensor: f8e98d83-79d8-4f...
Event Type: NEW_PROCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.026.0209.0004"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\cmd.exe
HASH:
f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3
PARENT:
{'BASE_ADDRESS': 140697881149440, 'COMMAND_LINE': 'C:\\WINDOWS\\Explorer.EXE', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\Explorer.EXE', 'HASH': '6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195', 'MEMORY_USAGE': 34713600, 'PARENT_ATOM': 'b4c888978aa0174f6ca942a969c30db5', 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 1984, 'THIS_ATOM': '95030fcbb1b0f80539943cfe69c30db5', 'THREADS': 11, 'TIMESTAMP': 1774390708232, 'USER_NAME': 'WIN-91LCCQ536B4\\pjhow'}
PARENT_PROCESS_ID:
1984
PROCESS_ID:
10260
IOCs:
C:\Windows\System32\cmd.exe
C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.026.0209.0004
MITRE:
T1070.004
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "File And SubFolder Enumeration Via Dir Command",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\System32\\cmd.exe\" /q /c rmdir /s /q \"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.026.0209.0004\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3",
"PARENT": {
"BASE_ADDRESS": 140697881149440,
"COMMAND_LINE": "C:\\WINDOWS\\Explorer.EXE",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\Explorer.EXE",
"HASH": "6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195",
"MEMORY_USAGE": 34713600,
"PARENT_ATOM": "b4c888978aa0174f6ca942a969c30db5",
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 1984,
"THIS_ATOM": "95030fcbb1b0f80539943cfe69c30db5",
"THREADS": 11,
"TIMESTAMP": 1774390708232,
"USER_NAME": "WIN-91LCCQ536B4\\pjhow"
},
"PARENT_PROCESS_ID": 1984,
"PROCESS_ID": 10260
},
"routing": {
"arch": 2,
"did": "",
"event_id": "26ec66aa-7697-43f9-a82e-51730d6ae47d",
"event_time": 1774390753800,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 2084,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "26af88dbc68c12c9aed2421b69c30de3"
}
},
"detect_id": "9eca704a-5da7-448f-9d99-4f3669c30de3",
"detect_mtd": {
"author": "frack113",
"description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"falsepositives": [
"Likely"
],
"level": "low",
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md"
],
"tags": [
"attack.discovery",
"attack.t1217"
]
},
"gen_time": 1774390755885,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/f8e98d83-79d8-4ff7-9fe1-7c507dad89e4/timeline?time=1774390753\u0026selected=26af88dbc68c12c9aed2421b69c30de3",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "26ec66aa-7697-43f9-a82e-51730d6ae47d",
"event_time": 1774390753800,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 2084,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "26af88dbc68c12c9aed2421b69c30de3"
},
"rule_tags": [
"ext:ext-sigma",
"attack.discovery",
"attack.t1217"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.f8e98d83-79d8-4ff7-9fe1-7c507dad89e4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_cmd_dir_execution",
"ts": 1774390755000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 1,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate software maintenance and cleanup of versioned application directories (OneDrive).",
"investigation_questions": [
"Confirm if any other unexpected commands were executed by Explorer.EXE or cmd.exe around the same timestamp."
],
"ioc_analysis": "The process binary C:\\Windows\\System32\\cmd.exe is a trusted system file and is digitally signed by Microsoft (FILE_IS_SIGNED: 1). The target path within the user\u0027s AppData\\Local\\Microsoft\\OneDrive directory follows standard naming conventions for versioned installation data, making its deletion a routine and benign operation rather than malicious data destruction.",
"iocs_extracted": [
"C:\\Windows\\System32\\cmd.exe",
"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.026.0209.0004"
],
"mitre_techniques": [
"T1070.004"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"No further action is required as this matches known benign application behavior.",
"Whitelists or exclusions could be considered for rmdir operations targeting versioned subdirectories within the Microsoft\\OneDrive path to reduce alert noise."
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event indicates cmd.exe executing a recursive directory removal command targeting a specific Microsoft OneDrive versioned folder. This behavior is consistent with legitimate application maintenance, update cleanup, or sync-related housekeeping performed by the OneDrive client or user-initiated deletion of old version artifacts.\n\n**IOC Analysis:** The process binary C:\\Windows\\System32\\cmd.exe is a trusted system file and is digitally signed by Microsoft (FILE_IS_SIGNED: 1). The target path within the user\u0027s AppData\\Local\\Microsoft\\OneDrive directory follows standard naming conventions for versioned installation data, making its deletion a routine and benign operation rather than malicious data destruction.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because cmd.exe is a legitimate Windows system binary running from its expected location (System32) and is signed by Microsoft. The command executed is a standard directory removal operation targeting OneDrive\u0027s local cache folder, which is consistent with normal user activity or legitimate application cleanup.\n\n**IOC Analysis:** The process cmd.exe has the correct hash for the legitimate Windows binary, is properly signed, and is executing from C:\\Windows\\System32. The command line shows a standard rmdir operation on a known user directory (OneDrive cache), which is not indicative of malicious enumeration or lateral movement.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection involves a legitimate cmd.exe from C:\\Windows\\System32, which is Microsoft-signed, and the command targets a OneDrive directory. Given the parent process is Explorer.EXE and historical analyst feedback indicating false positives for this rule, this event is likely benign.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\System32\\cmd.exe is a known Windows system binary located in its expected directory, making it legitimate. HASH: f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3 corresponds to a Microsoft-signed binary. FILE_IS_SIGNED: 1 confirms the binary is signed. The command-line action (rmdir) on a OneDrive path could be part of normal operations, and the parent process (Explorer.EXE) is common, leading to a false positive.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (10)
๐ค FusionSOC AI
2026-03-24T23:20
๐ค FusionSOC AI
2026-03-24T23:20
๐ค FusionSOC AI
2026-03-24T23:20
๐ค FusionSOC AI
2026-03-24T23:05
๐ค FusionSOC AI
2026-03-24T23:05
๐ค FusionSOC AI
2026-03-24T23:05
๐ค FusionSOC AI
2026-03-24T23:05
๐ค FusionSOC AI
2026-03-24T22:56
๐ค FusionSOC AI
2026-03-24T22:56
๐ค FusionSOC AI
2026-03-24T22:56
๐ Timeline
2026-03-25T12:57:16
analyst
Status changed: investigating โ closed
2026-03-24T23:20:42
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:20:42
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:20:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelists or exclusions could be considered for rmdir operations targeting vers...
2026-03-24T23:20:42
FusionSOC
Response action queued: recommended on Whitelists or exclusions could be considered for rmdir operations targeting versioned subdirectories within the Microsoft\OneDrive path to reduce alert noise.
2026-03-24T23:20:42
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:20:42
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:20:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further action is required as this matches known benign application behavior....
2026-03-24T23:20:42
FusionSOC
Response action queued: recommended on No further action is required as this matches known benign application behavior.
2026-03-24T23:20:42
FusionSOC AI
Status changed: closed โ investigating
2026-03-24T23:20:42
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:20:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:20:41
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:20:41
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:20:41
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T23:14:37
analyst
Status changed: investigating โ closed
2026-03-24T23:14:32
analyst
Analyst classified as False Positive (FP)
2026-03-24T23:05:29
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:05:29
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T23:05:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for similar detections with suspicious parent processes or unexpecte...
2026-03-24T23:05:27
FusionSOC
Response action queued: recommended on Monitor for similar detections with suspicious parent processes or unexpected locations
2026-03-24T23:05:27
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:05:27
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:05:27
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Document this as a known false positive for cmd.exe from System32 **Sensor:** `f...
2026-03-24T23:05:27
FusionSOC
Response action queued: recommended on Document this as a known false positive for cmd.exe from System32
2026-03-24T23:05:27
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:05:27
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:05:27
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the alert in SOC management system **Sensor:** `f8e98d83-79d8-4f...` **Tim...
2026-03-24T23:05:27
FusionSOC
Response action queued: recommended on Close the alert in SOC management system
2026-03-24T23:05:27
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:05:27
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:05:27
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:05:27
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:05:27
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:05:26
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T22:56:09
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T22:56:09
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:56:09
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. This is a false positive based on legitimate application mai...
2026-03-24T22:56:08
FusionSOC
Response action queued: recommended on No action required. This is a false positive based on legitimate application maintenance.
2026-03-24T22:56:08
FusionSOC AI
Status changed: open โ investigating
2026-03-24T22:56:08
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T22:56:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T22:56:08
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T22:56:08
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T22:56:08
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T22:56:08
FusionSOC AI
Detection 9eca704a-5da7-448f-9d99-4f3669c30de3 triaged as false_positive (low severity, confidence: 93%)
2026-03-24T22:56:08
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_cmd_dir_execution