Suspicious PowerShell Execution

Low Escalated

ALR-00089 · 2026-04-07T19:46:35Z

Description

Encoded PowerShell command executed on WS-LAP-012 by user 'f.hall'. Command attempts to download and execute remote payload. Flagged by EmilyAI Triage.

Alert Metadata

Alert ID: ALR-00089
Timestamp: 2026-04-07T19:46:35Z
Severity: Low
Status: Escalated
Detection Source: EmilyAI Triage
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-LAP-012
User Account: f.hall
Source IP: 45.254.148.11
Destination IP: 10.0.207.207
Origin Country: KP North Korea

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

19:46:35 Event ingested by SOC365 Engine

19:46:36 EmilyAI triage started — correlation enrichment

19:46:48 EmilyAI confidence: 78% — escalated to human analyst

19:47:04 Alert assigned to analyst: EmilyAI (auto)

19:48:26 Investigation started — querying SIEM and threat intelligence

19:55:36 Containment action taken — endpoint isolated

20:02:30 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00208	4h ago	C2 Beacon Activity	Informational	Escalated	WS-LAP-012
ALR-00009	4h ago	Brute Force SSH	High	Investigating	WS-LAP-012
ALR-00297	6h ago	Certificate Anomaly	Low	Resolved	WS-LAP-012
ALR-00321	9h ago	Anomalous DNS Query	Medium	Open	WS-LAP-012
ALR-00262	1d ago	Rogue DHCP Server	Medium	False Positive	WS-LAP-012