| Field | Value |
|---|---|
| ID | HO-DET-001 |
| Title | Suspicious PowerShell EncodedCommand Execution via Sysmon Event ID 1 |
| Record type | proof record |
| Internal verifier token | CONTROLLED_TEST_VALIDATED |
| Current ceiling | CONTROLLED_TEST_VALIDATED |
| Public display label | CONTROLLED_TEST_VALIDATED |
| Public-safe status | NOT_PUBLIC_SAFE |
| Last reviewed | UNKNOWN |
Compatibility note: CONTROLLED_TEST_VALIDATED is the internal verifier token preserved for proof-integrity compatibility. CONTROLLED_TEST_VALIDATED is the public-facing label used to describe the same controlled-test validation boundary without using legacy public wording.
HO-DET-001 is CONTROLLED_TEST_VALIDATED through a public proof-loop workflow with controlled positive and negative test cases, deterministic pass/fail output, and blocked-claim enforcement.
- The proof record exists at
proof/records/HO-DET-001.md. - The controlled-test validation result is linked at
hawkinsoperations-validation/reports/ho-det-001/validation-result.json. - The public pipeline proof pack is linked at
hawkinsoperations-validation/reports/ho-det-001/pipeline-proof.md. - The machine-readable public pipeline proof pack is linked at
hawkinsoperations-validation/reports/ho-det-001/pipeline-proof.json. - The proof record reports 14 controlled cases: 7 matched positives and 7 negative cases without false-positive negative matches.
- The proof loop route is linked at
hawkinsoperations-validation/.github/workflows/ho-det-001-proof-loop.yml. - The proof repo verifier exists at
scripts/verify-ho-det-001-proof-integrity.py.
- Runtime-active deployment is not proven.
- Signal-observed public proof is blocked.
- Evidence-linked public proof is blocked.
- Public-safe, production-ready, fleet-wide, or enterprise-deployed status is not proven.
- Live Splunk public proof, Cribl-routed HO-DET telemetry, Wazuh-routed telemetry, AWS-live status, autonomous SOC operation, production AutoSOC, AI-approved disposition, AI-decided disposition, and analyst-approved disposition are not proven.
| Route | Path |
|---|---|
| Source record | proof/records/HO-DET-001.md |
| Hoxline Gauntlet bridge | proof/records/HO-DET-001_HOXLINE_GAUNTLET_BRIDGE_V1.md; proof/indexes/hoxline-gauntlet-proof-map-v1.md |
| Validation | hawkinsoperations-validation/reports/ho-det-001/validation-result.json |
| Workflow | hawkinsoperations-validation/.github/workflows/ho-det-001-proof-loop.yml; .github/workflows/ho-det-001-proof-integrity.yml |
| Verifier | scripts/verify-ho-det-001-proof-integrity.py; hawkinsoperations-validation/scripts/verify-ho-det-001-reproducible-proof-pack.py; hawkinsoperations-validation/scripts/verify-ho-det-001-runtime-packet.py |
| Ledger | evidence/evidence-ledger.json entries HO-DET-001-CONTROLLED-TEST-VALIDATION-001 and HO-DET-001-PLATFORM-RUNTIME-CONTRACT-GUARDRAIL-001 |
| Related PR/commit | HawkinsOperations/hawkinsoperations-validation#10; HawkinsOperations/hawkinsoperations-validation#18; HawkinsOperations/hawkinsoperations-validation#22; HawkinsOperations/hawkinsoperations-platform#5 |
CI-enforced controlled-test scope and verifier-backed proof record. The proof card is route/display only. It does not raise the public ceiling, and it does not turn private/internal controlled lab runtime match evidence into public proof.
| Reviewer question | Verify in | Boundary |
|---|---|---|
| What is proven? | proof/records/HO-DET-001.md; proof/records/HO-DET-001-CONTROLLED-TEST-VALIDATION-001.json; hawkinsoperations-validation/reports/ho-det-001/validation-result.json; hawkinsoperations-validation/reports/ho-det-001/pipeline-proof.md; hawkinsoperations-validation/reports/ho-det-001/pipeline-proof.json |
Controlled positive and negative process-creation fixture validation only. |
| What is blocked? | proof/records/HO-DET-001.md sections Unsupported Claims, Blocked Claims, Proof Level Assessment, and Next Promotion Gate; proof/indexes/DETECTION_PROOF_STATUS_INDEX.yml |
Runtime-active public proof, signal-observed public proof, public-safe status, production/fleet claims, routed-telemetry claims, AI disposition authority, and analyst disposition authority remain blocked. |
| Where is the reviewer status index? | proof/indexes/DETECTION_PROOF_STATUS_INDEX.yml; scripts/verify_detection_proof_status_index.py |
The index routes proof status only; runtime, signal, public-safe, and website proof promotion remain blocked. |
| What may AI do? | This card; proof/records/README.md; proof/cards/README.md |
AI may generate scoped labor, reviewer routes, summaries, and deterministic support artifacts. Evidence and human review authorize claims. |
| Can this support a SOCaaS pilot receipt? | hawkinsoperations-validation/docs/HO-DET-001_CLOSED_LOOP.md; hawkinsoperations-validation/validation/successor/ho-det-001/case-packet.json; hawkinsoperations-validation/validation/successor/ho-det-001/autosoc-triage-packet.json |
Yes, as a controlled-test reviewer receipt candidate only: EDR-style process facts, deterministic validation, support-only triage, and human claim boundaries are present, but runtime, signal, public-safe, production, and autonomous SOC claims remain blocked. |
| What does the system refuse to claim? | This card section What This Does NOT Prove; proof/records/HO-DET-001.md section Blocked Claims |
The system does not claim runtime-active status, signal-observed status, PUBLIC_SAFE status, live Splunk public proof, Cribl-routed telemetry, Wazuh-routed telemetry, production AutoSOC, AI-approved disposition, AI-decided disposition, or analyst-approved disposition. |
Reviewer acceptance rule: if this card, the proof record, and the proof status index disagree, use the source proof record and verifier-backed validation artifacts as authority until the route card is corrected.
The Hoxline Gauntlet bridge route is proof/records/HO-DET-001_HOXLINE_GAUNTLET_BRIDGE_V1.md with machine map proof/indexes/hoxline-gauntlet-proof-map-v1.json.
Allowed bridge wording: "HO-DET-001 has Hoxline Gauntlet v1 reviewer evidence and validation-bridge references under stated controlled scope."
This bridge does not prove runtime, signal, production, customer deployment, SOCaaS deployment, public-safe runtime proof, AI approval, analyst approval, final authorization, or case closure. It keeps Hoxline and website material as reviewer routing only; proof authority remains in source-owned proof records and verifier-backed validation artifacts.
| Plane | Truth |
|---|---|
| Repo truth | PROVEN: proof record and linked source artifact routes exist. |
| Validation truth | PROVEN: controlled-test validation passed within controlled test-case scope. |
| Runtime truth | PRIVATE_INTERNAL only where recorded; public runtime-active status remains BLOCKED. |
| Signal truth | BLOCKED for public signal-observed proof. |
| Evidence truth | Ledger-backed for controlled-test validation and platform guardrail records; private/internal runtime evidence is not public-safe proof. |
| Public proof | CONTROLLED_TEST_VALIDATED only; NOT_PUBLIC_SAFE for public promotion. |
| AI triage truth | AI_SUPPORT_ONLY / AI_TRIAGE_OUTPUT_PRIVATE / AI_NOT_AUTHORITY; AI-decided disposition remains false. |
| Human review truth | HUMAN_REVIEW_REQUIRED before any public runtime summary, public-safe wording, or stronger proof claim. |
| Truth plane | Current state | Public/runtime claim status |
|---|---|---|
| source_truth | SOURCE_EXISTS | source truth only |
| validation_truth | CONTROLLED_TEST_VALIDATED | controlled-test only |
| runtime_truth | RUNTIME_EVIDENCE_VERIFIED_PRIVATE | PUBLIC_RUNTIME_BLOCKED |
| signal_truth | SIGNAL_OBSERVED_PRIVATE | PUBLIC_RUNTIME_BLOCKED |
| evidence_truth | RUNTIME_EVIDENCE_VERIFIED_PRIVATE | raw private evidence remains NOT_PUBLIC_SAFE |
| ai_triage_truth | AI_SUPPORT_ONLY / AI_TRIAGE_OUTPUT_PRIVATE / AI_NOT_AUTHORITY | no AI disposition authority |
| public_proof_truth | PUBLIC_RUNTIME_BLOCKED | proof ceiling remains CONTROLLED_TEST_VALIDATED |
| human_review_truth | HUMAN_REVIEW_REQUIRED | approval required before any public runtime summary |
To raise the claim, HO-DET-001 needs approved evidence linkage for the specific stronger claim, privacy review, stale review, wording review, and Raylee approval. Runtime-active status needs deployment or enablement proof. Signal-observed status needs preserved telemetry, alert, log, or search output with reviewable context. Public-safe status requires approved public wording and evidence-link review.
HO-DET-001 has a strong controlled-test validation record and verifier-backed proof routing for that scope. Treat this card as a fast map to the proof record. Live operation, public signal observation, routed telemetry, production coverage, and public-safe status remain blocked unless separately approved.
Current state:
- No signed GitHub Release artifact exists yet for this proof card.
- The current release effort ceiling is RELEASE_IMPLEMENTED_CHECK_MODE_NO_TAG_NO_RELEASE.
- Repo-side source status: RELEASE_PATH_IMPLEMENTED_CHECK_MODE_ONLY.
- This section defines the reviewer packet, release manifest, checksum file, release notes template, verifier, and check-mode workflow source only.
- It does not create a zip, a tag, a GitHub Release, a Sigstore bundle, a signature, a signed artifact, or a published checksum release.
Planned artifact:
- Planned release name: HawkinsOperations Proof Pack 001.
- Planned tag:
hawkinsoperations-proof-pack-001. - Planned zip:
HAWKINSOPERATIONS_PROOF_PACK_001.zip. - Planned Sigstore bundle:
HAWKINSOPERATIONS_PROOF_PACK_001.sigstore.json. - Planned checksum file:
SHA256SUMS.txt. - Planned generated reviewer packet inside zip:
REVIEWER_PACKET.md. - Planned generated manifest inside zip:
RELEASE_MANIFEST.json. - Release notes template:
RELEASE_NOTES_TEMPLATE.md. - Check-mode release workflow:
.github/workflows/publish-proof-release.yml. - Release verifier:
scripts/verify-proof-pack-001-release.py.
Candidate Pack 001 contents:
REVIEWER_PACKET.mdRELEASE_MANIFEST.jsonSHA256SUMS.txtRELEASE_NOTES_TEMPLATE.mdSCOPE.mdGOVERNANCE.mdSTATUS.mdproof/cards/HO-DET-001.mdproof/records/HO-DET-001.mdproof/records/HO-DET-001-CONTROLLED-TEST-VALIDATION-001.jsonevidence/evidence-ledger.jsonevidence/EVIDENCE_LEDGER_SCHEMA.jsonscripts/verify-ho-det-001-proof-integrity.py.github/contracts/proof-record.schema.json
Excluded from Pack 001:
README.mdproof/records/HO-NDR-001.mdproof/records/HO-DET-011.mdproof/cards/HO-NDR-001.mddocs/boundaries/HO-NDR-001-SECURITY-ONION-VISIBILITY-CONTRACT.mddocs/debugging/*proof/records/PROOF-HOD-001-2026-04-21-001.jsonproof/records/AWS-DET-001.mdproof/cards/AWS-DET-001.md.github/workflows/*docs/case-studies/*
Claim boundary:
- The future signed release, once implemented and verified, may support CONTROLLED_TEST_VALIDATED only.
- It must not promote PUBLIC_SAFE.
- It must not promote RUNTIME_ACTIVE.
- It must not promote SIGNAL_OBSERVED.
- It must not promote EVIDENCE_LINKED public proof.
- It must not promote production-ready, fleet-wide, live Splunk fired, Cribl-routed, Wazuh-routed, AWS-live, autonomous SOC, AI-approved disposition, AI-decided disposition, analyst-approved disposition, or production AutoSOC claims.
Verification language:
- Release verification wording must remain check-mode/source-only until the tag, artifact, Sigstore bundle, and clean reviewer-side verification are actually created and tested.
- The final Cosign certificate identity must not be frozen until it is confirmed from the actual signed bundle.
- The expected future OIDC issuer is
https://token.actions.githubusercontent.com. - The release workflow path is
.github/workflows/publish-proof-release.yml, and it must remain check-mode by default. - The release workflow must not create a tag, GitHub Release, zip, signature, signed artifact, or published checksum unless a later explicitly approved release step changes that behavior.
Source-side implementation checks:
- The proof integrity verifier must fail if this card no longer names
RELEASE_IMPLEMENTED_CHECK_MODE_NO_TAG_NO_RELEASE. - The verifier must fail if Pack 001 no longer names
CONTROLLED_TEST_VALIDATEDas the only allowed future support level. - The verifier must fail if Pack 001 no longer keeps
NOT_PUBLIC_SAFEpublic-safe status. - The verifier must fail if Pack 001 no longer excludes
proof/records/HO-NDR-001.md. - The verifier must fail if Pack 001 wording implies a release, tag, zip, signature, checksum publication, downloaded-artifact verification, or public-safe promotion already exists; public-safe promotion remains blocked unless separately approved.
Reviewer meaning:
- A successful future verification would prove artifact integrity and signing provenance for the release artifact.
- It would not prove runtime activity, signal observation, public-safe status, production coverage, or analyst/AI disposition authority.