Suspicious PowerShell Execution

Informational Resolved

ALR-00263 · 2026-05-24T03:48:54Z

Description

Encoded PowerShell command executed on SRV-BACKUP-01 by user 'j.smith'. Command attempts to download and execute remote payload. Flagged by Attack Surface Scanner.

Alert Metadata

Alert ID: ALR-00263
Timestamp: 2026-05-24T03:48:54Z
Severity: Informational
Status: Resolved
Detection Source: Attack Surface Scanner
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: SRV-BACKUP-01
User Account: j.smith
Source IP: 185.100.220.196
Destination IP: 10.1.121.52
Origin Country: GB United Kingdom

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

03:48:54 Event ingested by SOC365 Engine

03:48:59 EmilyAI triage started — correlation enrichment

03:49:06 EmilyAI confidence: 98% — escalated to human analyst

03:49:20 Alert assigned to analyst: EmilyAI (auto)

03:51:37 Investigation started — querying SIEM and threat intelligence

03:53:45 Containment action taken — endpoint isolated

04:00:13 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00291	2h ago	Suspicious PowerShell Execution	Medium	Investigating	SRV-SQL-01
ALR-00337	2h ago	Shadow IT Discovery	Low	Escalated	SRV-BACKUP-01
ALR-00258	6h ago	Port Scan Detected	Informational	Resolved	SRV-BACKUP-01
ALR-00118	11h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-PC-004
ALR-00133	11h ago	Suspicious PowerShell Execution	Low	Resolved	WS-LAP-012