Suspicious PowerShell Execution

Medium Resolved

ALR-00244 · 2026-04-06T02:37:05Z

Description

Encoded PowerShell command executed on WS-LAP-010 by user 'm.taylor'. Command attempts to download and execute remote payload. Flagged by Email Gateway.

Alert Metadata

Alert ID: ALR-00244
Timestamp: 2026-04-06T02:37:05Z
Severity: Medium
Status: Resolved
Detection Source: Email Gateway
Assigned Analyst: James Okonkwo

Endpoint Information

Hostname: WS-LAP-010
User Account: m.taylor
Source IP: 45.157.148.145
Destination IP: 10.3.253.236
Origin Country: IR Iran

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

02:37:05 Event ingested by SOC365 Engine

02:37:09 EmilyAI triage started — correlation enrichment

02:37:11 EmilyAI confidence: 89% — escalated to human analyst

02:37:40 Alert assigned to analyst: James Okonkwo

02:39:45 Investigation started — querying SIEM and threat intelligence

02:46:34 Containment action taken — endpoint isolated

02:55:17 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00166	4h ago	Privilege Escalation Attempt	Low	Investigating	WS-LAP-010
ALR-00377	17h ago	Suspicious PowerShell Execution	Informational	Open	SRV-MAIL-01
ALR-00260	17h ago	Pass-the-Hash Detected	Medium	Investigating	WS-LAP-010
ALR-00049	17h ago	Suspicious PowerShell Execution	Medium	False Positive	WS-LAP-012
ALR-00201	18h ago	Pass-the-Hash Detected	Informational	False Positive	WS-LAP-010