โ
Case #555
service.windows_process_creation/proc_creation_win_cmd_dir_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
File And SubFolder Enumeration Via Dir Command
low
Rule: service.windows_process_creation/proc_creation_win_cmd_dir_execution
Hostname: win-91lccq536b4 ยท Sensor: f8e98d83-79d8-4f...
Event Type: NEW_PROCESS
Confidence: 93% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.022.0203.0006"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Windows\System32\cmd.exe
HASH:
f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3
MEMORY_USAGE:
36864
PARENT:
{'BASE_ADDRESS': 140697881149440, 'COMMAND_LINE': 'C:\\WINDOWS\\Explorer.EXE', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\WINDOWS\\Explorer.EXE', 'HASH': '6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195', 'MEMORY_USAGE': 34713600, 'PARENT_ATOM': 'b4c888978aa0174f6ca942a969c30db5', 'PARENT_PROCESS_ID': 3324, 'PROCESS_ID': 1984, 'THIS_ATOM': '95030fcbb1b0f80539943cfe69c30db5', 'THREADS': 11, 'TIMESTAMP': 1774390708232, 'USER_NAME': 'WIN-91LCCQ536B4\\pjhow'}
PARENT_PROCESS_ID:
1984
PROCESS_ID:
8592
USER_NAME:
WIN-91LCCQ536B4\pjhow
IOCs:
C:\Windows\System32\cmd.exe
f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3
C:\Users\pjhow\AppData\Local\Microsoft\OneDrive\26.022.0203.0006
MITRE:
T1083
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "File And SubFolder Enumeration Via Dir Command",
"detect": {
"event": {
"COMMAND_LINE": "\"C:\\Windows\\System32\\cmd.exe\" /q /c rmdir /s /q \"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.022.0203.0006\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"HASH": "f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3",
"MEMORY_USAGE": 36864,
"PARENT": {
"BASE_ADDRESS": 140697881149440,
"COMMAND_LINE": "C:\\WINDOWS\\Explorer.EXE",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\Explorer.EXE",
"HASH": "6d560ce5e75149dffe1b67f0a9f1a0717c9996d50ef2dbf3349b251b64c3a195",
"MEMORY_USAGE": 34713600,
"PARENT_ATOM": "b4c888978aa0174f6ca942a969c30db5",
"PARENT_PROCESS_ID": 3324,
"PROCESS_ID": 1984,
"THIS_ATOM": "95030fcbb1b0f80539943cfe69c30db5",
"THREADS": 11,
"TIMESTAMP": 1774390708232,
"USER_NAME": "WIN-91LCCQ536B4\\pjhow"
},
"PARENT_PROCESS_ID": 1984,
"PROCESS_ID": 8592,
"USER_NAME": "WIN-91LCCQ536B4\\pjhow"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "7b5e9852-0c65-4dd3-ab73-6299fbff39f5",
"event_time": 1774390753776,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 1706,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "b40b4fffe58781978d2793c669c30de3"
}
},
"detect_id": "44391aaa-a96b-4d57-9641-b24169c30de3",
"detect_mtd": {
"author": "frack113",
"description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"falsepositives": [
"Likely"
],
"level": "low",
"references": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md"
],
"tags": [
"attack.discovery",
"attack.t1217"
]
},
"gen_time": 1774390755484,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/f8e98d83-79d8-4ff7-9fe1-7c507dad89e4/timeline?time=1774390753\u0026selected=b40b4fffe58781978d2793c669c30de3",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "7b5e9852-0c65-4dd3-ab73-6299fbff39f5",
"event_time": 1774390753776,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "win-91lccq536b4",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.170",
"latency": 1706,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "95030fcbb1b0f80539943cfe69c30db5",
"plat": 268435456,
"sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
"tags": [
"frontdesk",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-investigated",
"windows",
"yara_detection_memory"
],
"this": "b40b4fffe58781978d2793c669c30de3"
},
"rule_tags": [
"ext:ext-sigma",
"attack.discovery",
"attack.t1217"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.f8e98d83-79d8-4ff7-9fe1-7c507dad89e4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_cmd_dir_execution",
"ts": 1774390755000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 1,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.933,
"false_positive_reason": "Legitimate software maintenance (OneDrive update cleanup)",
"investigation_questions": [
"Is there any other suspicious activity from this user around the same time?"
],
"ioc_analysis": "The process \u0027cmd.exe\u0027 is a signed Microsoft system binary running from the expected \u0027C:\\Windows\\System32\\\u0027 directory. The parent process is \u0027Explorer.EXE\u0027, which is also signed and legitimate. The target directory being removed is located within the standard Microsoft OneDrive application data path (\u0027AppData\\Local\\Microsoft\\OneDrive\u0027), which is used for storing version-specific files.",
"iocs_extracted": [
"C:\\Windows\\System32\\cmd.exe",
"f682aadda9deb654885ae17909380a25f7cb1a43ac0934ac425ee8de4924c7f3",
"C:\\Users\\pjhow\\AppData\\Local\\Microsoft\\OneDrive\\26.022.0203.0006"
],
"mitre_techniques": [
"T1083"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close the case as a False Positive.",
"Consider tuning the detection rule to exclude \u0027rmdir\u0027 commands targeting the OneDrive AppData directory to reduce future noise."
],
"risk_score": 12,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive triggered by a legitimate Microsoft OneDrive maintenance operation. The command \u0027rmdir /s /q\u0027 is being used to clean up an old versioned directory (26.022.0203.0006) within the user\u0027s AppData folder, likely following an automatic update. This activity is consistent with normal OneDrive behavior and previous historical triage for this rule has consistently resulted in false positive verdicts.\n\n**IOC Analysis:** The process \u0027cmd.exe\u0027 is a signed Microsoft system binary running from the expected \u0027C:\\Windows\\System32\\\u0027 directory. The parent process is \u0027Explorer.EXE\u0027, which is also signed and legitimate. The target directory being removed is located within the standard Microsoft OneDrive application data path (\u0027AppData\\Local\\Microsoft\\OneDrive\u0027), which is used for storing version-specific files.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\ncmd.exe execution from System32 is a known Windows system binary running from its expected location with valid digital signature. The command targets OneDrive local storage which is a common administrative task.\n\n**IOC Analysis:** The detection flagged cmd.exe but this is a legitimate Windows system binary located in C:\\Windows\\System32\\. The process is digitally signed (FILE_IS_SIGNED: 1) and matches the known hash for cmd.exe. Parent process Explorer.EXE indicates standard user activity rather than malicious persistence.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe event involves a legitimate cmd.exe process from System32, which is system-signed and commonly used in false positives for user-initiated actions or system maintenance. The command attempts to delete a OneDrive directory, which is likely part of normal operations.\n\n**IOC Analysis:** FILE_PATH: C:\\Windows\\System32\\cmd.exe is a legitimate Windows system binary located in the expected directory, making it likely benign. HASH: The file is Microsoft-signed, reducing the likelihood of malicious activity. FILE_IS_SIGNED: Confirms the binary is from a trusted source. COMMAND_LINE: The use of rmdir on a OneDrive directory could be part of legitimate cleanup or update processes.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (10)
๐ค FusionSOC AI
2026-03-24T23:24
๐ค FusionSOC AI
2026-03-24T23:24
๐ค FusionSOC AI
2026-03-24T23:24
๐ค FusionSOC AI
2026-03-24T23:10
๐ค FusionSOC AI
2026-03-24T23:10
๐ค FusionSOC AI
2026-03-24T23:10
๐ค FusionSOC AI
2026-03-24T23:02
๐ค FusionSOC AI
2026-03-24T23:02
๐ค FusionSOC AI
2026-03-24T23:02
๐ค FusionSOC AI
2026-03-24T23:02
๐ Timeline
2026-03-25T12:57:16
analyst
Status changed: investigating โ closed
2026-03-24T23:24:23
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:24:23
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:24:23
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider tuning the detection rule to exclude 'rmdir' commands targeting the One...
2026-03-24T23:24:22
FusionSOC
Response action queued: recommended on Consider tuning the detection rule to exclude 'rmdir' commands targeting the OneDrive AppData directory to reduce future noise.
2026-03-24T23:24:22
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:24:22
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:24:22
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the case as a False Positive. **Sensor:** `f8e98d83-79d8-4f...` **Time Win...
2026-03-24T23:24:22
FusionSOC
Response action queued: recommended on Close the case as a False Positive.
2026-03-24T23:24:22
FusionSOC AI
Status changed: closed โ investigating
2026-03-24T23:24:22
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:24:22
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:24:22
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:24:22
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:24:22
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T23:14:37
analyst
Status changed: investigating โ closed
2026-03-24T23:14:32
analyst
Analyst classified as False Positive (FP)
2026-03-24T23:10:39
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:10:39
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T23:10:39
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the detection rule 'service.windows_process_creation/proc_cr...
2026-03-24T23:10:38
FusionSOC
Response action queued: recommended on Consider tuning the detection rule 'service.windows_process_creation/proc_creation_win_cmd_dir_execution' to exclude 'rmdir' operations on versioned OneDrive folders in AppData.
2026-03-24T23:10:38
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:10:38
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:10:38
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No action required. **Sensor:** `f8e98d83-79d8-4f...` **Time Window:** +/- 2 min...
2026-03-24T23:10:38
FusionSOC
Response action queued: recommended on No action required.
2026-03-24T23:10:38
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:10:38
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:10:38
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:10:37
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:10:37
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:10:37
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T23:02:07
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:02:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:02:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Tune detection rule to exclude rmdir operations on legitimate OneDrive versioned...
2026-03-24T23:02:07
FusionSOC
Response action queued: recommended on Tune detection rule to exclude rmdir operations on legitimate OneDrive versioned folders
2026-03-24T23:02:07
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T23:02:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:02:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Mark as false positive **Sensor:** `f8e98d83-79d8-4f...` **Time Window:** +/- 2 ...
2026-03-24T23:02:06
FusionSOC
Response action queued: recommended on Mark as false positive
2026-03-24T23:02:06
FusionSOC AI
Status changed: open โ investigating
2026-03-24T23:02:06
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T23:02:06
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `f8e98d83-79d8-4...
2026-03-24T23:02:06
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T23:02:06
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T23:02:06
FusionSOC
Response action queued: tag on f8e98d83-79d8-4ff7-9fe1-7c507dad89e4:fusionsoc-investigated
2026-03-24T23:02:06
FusionSOC AI
Detection 44391aaa-a96b-4d57-9641-b24169c30de3 triaged as false_positive (low severity, confidence: 93%)
2026-03-24T23:02:06
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_cmd_dir_execution