Suspicious PowerShell Execution

Low Escalated

ALR-00318 · 2026-05-25T14:43:54Z

Description

Encoded PowerShell command executed on SW-CORE-01 by user 'r.davies'. Command attempts to download and execute remote payload. Flagged by Dark Web Monitor.

Alert Metadata

Alert ID: ALR-00318
Timestamp: 2026-05-25T14:43:54Z
Severity: Low
Status: Escalated
Detection Source: Dark Web Monitor
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: SW-CORE-01
User Account: r.davies
Source IP: 185.75.220.108
Destination IP: 10.0.199.155
Origin Country: CN China

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

14:43:54 Event ingested by SOC365 Engine

14:43:57 EmilyAI triage started — correlation enrichment

14:44:06 EmilyAI confidence: 88% — escalated to human analyst

14:44:26 Alert assigned to analyst: EmilyAI (auto)

14:46:20 Investigation started — querying SIEM and threat intelligence

14:49:41 Containment action taken — endpoint isolated

14:55:58 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00247	11h ago	Certificate Anomaly	Low	Resolved	SW-CORE-01
ALR-00389	12h ago	Insider Threat Indicator	Medium	Open	SW-CORE-01
ALR-00099	13h ago	Certificate Anomaly	Low	Escalated	SW-CORE-01
ALR-00427	18h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-MAC-005
ALR-00330	1d ago	Anomalous DNS Query	Medium	Investigating	SW-CORE-01