Command Zero
Narration by Agent Zero
Lowrun-30f54e13-a09f-4b9e-a3e2-c08a008c5862
False Positive
High confidence
  • false-positive
  • red-team-testing
  • adversary-emulation
  • powershell
  • task-scheduler
  • aws-ec2

Authorized Red Team Testing Misclassified as Threat on AWS EC2 Host

A CrowdStrike Falcon alert on a designated red team test host (ws-001) detected a PowerShell execution chain with execution policy bypass targeting a MITRE-named script. Investigation confirmed the activity as authorized security testing, not a genuine threat.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
4m 22s
INVESTIGATION TIME
Autonomous
30
QUESTIONS ASKED
CROWDSTRIKE, MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT ENTRA, RECORDED FUTURE, REVERSINGLABS, VIRUSTOTAL
195
RECORDS ANALYZED
Across all data sources
~3 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$269
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

A CrowdStrike Falcon alert fired on host ws-001 (device ID [CS_DEVICE_ID_1], internal IP 10.1.1.1) at 2026-05-03T00:02:01Z. The alert captured a process execution chain originating from the Windows Task Scheduler service (svchost.exe -k netsvcs -p -s Schedule) that launched cmd.exe, which in turn spawned powershell.exe with the command line: `powershell.exe -ep bypass -file c:\[CUSTOM_DIR_2]`. The execution policy bypass flag and the MITRE-style script filename initially suggested a potential attack. However, an analyst note explicitly identifies ws-001 as a "Red Team testing host used for PowerShell & Lateral movement testing/attacks." The script filename follows the naming convention of adversary emulation frameworks like Atomic Red Team, with a "NonExistingScript" suffix confirming the script was intentionally absent. CrowdStrike's own detection engine classified the alert as "Testing activity" at Informational severity. All binaries involved are legitimate Microsoft Windows components with zero detections across VirusTotal and ReversingLabs. The host was already in a "contained" network isolation state, consistent with a controlled test environment. No post-execution activity, lateral movement, or data exfiltration was observed.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be normal activity?

Ruled out
Supporting Evidence
Analyst note identifying host as red team test system
Moderate
Supporting Evidence
Script naming convention consistent with adversary emulation
Moderate
Supporting Evidence
Alert category 'Testing activity'
Moderate
Dismissed:While the activity is authorized and benign in context, the specific execution pattern (cmd.exe launching PowerShell with -ep bypass targeting a MITRE-named script via Task Scheduler) is not 'normal' system operation — it is deliberate security testing activity that intentionally simulates attacker techniques. False Positive is more precise: the alert correctly identified an anomaly (simulated attack technique), but the anomaly is not a genuine threat because it is authorized testing on a designated test host.·Medium confidence
H2

Could this be malicious?

Ruled out
Supporting Evidence
Zero VirusTotal/ReversingLabs detections for all binaries
Moderate
Supporting Evidence
Script non-existence confirmed by absence of file write
Moderate
Supporting Evidence
Analyst note identifying test host
Moderate
Dismissed:No malicious artifacts were executed. All binaries are legitimate Microsoft Windows components with zero threat intelligence detections. The script [CUSTOM_DIR_2] did not exist on disk and was never executed. The execution policy bypass flag is a technique indicator but is insufficient to establish malicious execution when all other evidence points to authorized testing. The analyst note and script naming convention provide strong exculpatory context.·High confidence
H3

Could this be suspicious?

Ruled out
Supporting Evidence
Analyst note
Moderate
Supporting Evidence
Script filename
Moderate
Supporting Evidence
Alert category
Moderate
Dismissed:The evidence is not genuinely ambiguous. The combination of the analyst note (explicit test host identification), script naming convention (MITRE technique reference with 'NonExistingScript' suffix), CrowdStrike's own 'Testing activity' classification, clean threat intelligence for all binaries, and absence of any post-exploitation activity collectively resolve the ambiguity in favor of a benign determination. A 'Suspicious' verdict would be appropriate only if the analyst note were absent or the script naming were not clearly indicative of an emulation framework.·High confidence
H4

Could this be a true positive that was blocked?

Ruled out
Supporting Evidence
Pattern disposition 'Detection, standard detection' — not prevention
Moderate
Supporting Evidence
Analyst note identifying authorized test host
Moderate
Supporting Evidence
Pre-existing containment state
Moderate
Dismissed:This verdict would require that a genuine attack was accurately identified and blocked by security controls. The activity is authorized security testing, not an actual attack. Additionally, the processes were not blocked — they executed and were detected post-execution (pattern_disposition: 'Detection, standard detection'). The host containment was pre-existing and not applied in response to this specific activity.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Analyst Note
Analyst note explicitly identifies hostname ws-001 as a 'Red Team testing host. Used for Powershell & Lateral movement testing/attacks.' This directly explains the observed activity as authorized security testing.
Command Zero Analyst Notes
Process Command Line Artifact
The PowerShell script referenced in the command line is named '[CUSTOM_DIR_2]'. The T1036.004 prefix is a MITRE ATT&CK technique identifier (Masquerade Task or Service), a naming convention used by adversary emulation frameworks. The 'NonExistingScript' suffix confirms the script was intentionally absent — the test was designed to simulate execution of a non-existent file.
CrowdStrike Falcon Alert
Alert Classification
CrowdStrike's own detection engine classified the alert under category 'Testing activity' (display_name: TestingActivity, pattern_id: 10417) at Informational severity (severity value 10, the lowest tier). The pattern disposition was 'Detection, standard detection' — not prevention.
CrowdStrike Falcon Alert
Process Execution Chain
The execution chain originates from the Windows Task Scheduler service (svchost.exe -k netsvcs -p -s Schedule, PID 1620, started 2026-05-02T17:15:25Z), which launched cmd.exe approximately 6 hours and 47 minutes later at 2026-05-03T00:02:01Z. This is consistent with a scheduled task configured to run at a specific time as part of a test scenario.
CrowdStrike Falcon Alert
File Reputation Intelligence
All four binaries in the execution chain — svchost.exe (MD5: [SAMPLE_HASH_2]), cmd.exe (MD5: [SAMPLE_HASH_4]), conhost.exe (MD5: [SAMPLE_HASH_3]), and powershell.exe (MD5: [SAMPLE_HASH_1]) — are legitimate Microsoft Windows system components. VirusTotal shows 0 malicious detections across 70-76 vendors for each. ReversingLabs shows 0 scanner matches across 24-36 engines for each, with KNOWN status and threat_level 0.
ReversingLabs / VirusTotal
Host Status
The host device status field shows 'contained', indicating CrowdStrike network isolation was already applied to the endpoint. This is consistent with a controlled test environment where the host is deliberately isolated to prevent test activity from affecting production systems.
CrowdStrike Falcon Alert
Post-Execution Activity (Absence)
PowerShell wrote only a standard execution policy test file (__PSScriptPolicyTest_i3jm3x40.iun.ps1) to Windows\Temp. No child processes were spawned by powershell.exe or conhost.exe. No persistence mechanisms, lateral movement, credential access, C2 communication, or data staging was observed. The execution chain terminated at the script execution attempt.
CrowdStrike Falcon Alert
IP Reputation Intelligence
The external IP [EXTERNAL_IP_1] is confirmed as an AWS EC2 instance address (ASN 14618, Amazon Data Services Northern Virginia, hostname [EXTERNAL_IP_1].compute-1.amazonaws.com). All 15 threat intelligence sources queried by ReversingLabs return 'undetected'. VirusTotal shows 0 malicious/suspicious detections from 91 vendors. No threat actor associations.
ReversingLabs / VirusTotal
System Activity Context
System activity on 2026-05-02 shows normal AWS EC2 instance operations: Windows Defender platform update (version 4.18.25100.9008-0), MpKsl kernel driver installation, Windows Search reconfiguration, AmazonSSMAgent service updates, and standard scheduled task modifications (Windows Update Orchestrator, Group Policy, Compatibility Appraiser). All registry changes and service creations align with legitimate system maintenance.
CrowdStrike Falcon Alert
Negative Evidence (Absence of Attack Indicators)
No failed logon events, no RDP activity, no Windows binaries executed from non-standard paths, no Microsoft Defender XDR alerts, and no Microsoft Entra ID sign-in anomalies were detected for this host during the investigation window.
CrowdStrike / Microsoft

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. FP-01
    Verify whether the host is a known test or lab system that would explain the observed activity as authorized.
    Pass
  2. FP-02
    Evaluate whether the script filename and execution pattern are consistent with adversary emulation frameworks rather than organic attacker behavior.
    Pass
  3. FP-03
    Confirm all binaries in the execution chain are legitimate Microsoft Windows components with no malicious indicators.
    Pass
  4. FP-04
    Assess whether the host containment state and broader system activity are consistent with a controlled test environment.
    Pass
  5. FP-05
    Evaluate the credibility of the analyst note claiming 10.1.1.1 is associated with dozens of APT groups.
    Fail

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

TestingActivityProcessExecution
TechniqueTacticContext
T1036.004
Masquerade Task or Service
Defense EvasionFlag PowerShell execution with -ep bypass (execution policy bypass) originating from Task Scheduler, especially when targeting scripts with MITRE technique identifiers in their filenames. Alert on cmd.exe launching powershell.exe with bypass flags in non-standard test environments. However, establish a whitelist of authorized red team and security testing hosts to reduce false positives. The legitimate pattern here is: Task Scheduler → cmd.exepowershell.exe -ep bypass targeting a non-existent script on a designated test host. In production environments, this chain should trigger immediate investigation.
T1053.005
Scheduled Task
PersistenceMonitor scheduled tasks that launch cmd.exe or PowerShell with execution policy bypass flags. Legitimate scheduled tasks typically run system maintenance scripts from standard directories (C:\Windows, C:\Program Files). Flag tasks that execute scripts from user-writable paths or with technique-identifier naming conventions. Correlate scheduled task creation events with analyst notes or change management records to distinguish authorized testing from actual persistence attempts.

Verdict Reasoning

The verdict of False Positive at high confidence rests on the following mutually corroborating signals:

1. An analyst note from 2025-08-18 explicitly identifying ws-001 as a red team test host designated for PowerShell and lateral movement testing, directly explaining the observed activity as authorized

2. The script filename [CUSTOM_DIR_2] follows the MITRE ATT&CK technique naming convention used by adversary emulation frameworks; the "NonExistingScript" suffix confirms the script was intentionally absent, consistent with a test designed to simulate execution failure

3. CrowdStrike's own detection engine classified the alert under "Testing activity" at Informational severity (the lowest tier), with pattern disposition "Detection, standard detection" rather than prevention

4. All four binaries in the execution chain (svchost.exe, cmd.exe, conhost.exe, powershell.exe) are legitimate Microsoft Windows components with zero malicious detections across 70-76 VirusTotal vendors and 24-36 ReversingLabs engines for each

5. The host device status shows "contained," indicating pre-existing CrowdStrike network isolation consistent with a controlled test environment deliberately isolated from production systems

6. No post-execution activity was observed: PowerShell only wrote a standard execution policy test file to Windows\Temp, spawned no child processes, and no persistence mechanisms, lateral movement, credential access, C2 communication, or data staging occurred. Confidence is High rather than Confirmed because the investigation relied on analyst notes and alert classification metadata rather than independent corroboration of the test's authorization through formal change management records or test scheduling systems

Lessons

  1. 01
    Analyst notes are investigative gold—but verify their credibility. In this case, the analyst note identifying ws-001 as a red team test host was the decisive signal. However, the investigation also included a second analyst note claiming 10.1.1.1 (a private RFC 1918 address) was associated with 29 APT groups—a factually implausible claim that was correctly disregarded. Always cross-check analyst notes against known facts (IP address space, device enrollment history, organizational structure). A credible note should be specific, dated, and attributable to a named analyst. Use it to guide investigation, but don't let it override contradictory evidence.
  2. 02
    Script naming conventions are a powerful indicator of intent. The script filename [CUSTOM_DIR_2] with a MITRE technique identifier prefix and 'NonExistingScript' suffix is a dead giveaway of adversary emulation framework usage (Atomic Red Team, CALDERA, etc.). Real attackers don't name their payloads after MITRE technique IDs. When you see this pattern, immediately check for analyst notes, test schedules, or red team documentation. The absence of the script file on disk (confirmed by no file write events) further confirmed this was a test of execution failure handling, not a genuine attack.
  3. 03
    Host containment state is context, not verdict. The 'contained' status on ws-001 indicated network isolation, which is consistent with a test environment. However, containment alone doesn't prove benignity—an attacker could compromise an isolated host. What matters is the convergence of multiple signals: analyst note + script naming + alert classification + threat intelligence + absence of post-execution activity. Use containment status as one data point in a multi-factor assessment, not as the deciding factor.
  4. 04
    Zero threat intelligence detections on all binaries is strong exculpatory evidence. All four binaries in the execution chain (svchost.exe, cmd.exe, conhost.exe, powershell.exe) showed 0 detections across 70+ VirusTotal vendors and 24+ ReversingLabs engines. This is expected for legitimate Microsoft system binaries, but it rules out the possibility that the alert was triggered by a trojanized or packed version of these files. Combined with the analyst note and script naming, this eliminated the 'Malicious' hypothesis entirely.
  5. 05
    Absence of post-execution activity is as important as presence of suspicious activity. The execution chain terminated cleanly: PowerShell wrote only a standard execution policy test file and spawned no child processes. No persistence mechanisms, lateral movement, credential access, C2 communication, or data staging was observed. In a real attack, you'd expect follow-on activity. The absence of it, combined with the other evidence, confirmed this was a controlled test that ran to completion and stopped.