Suspicious PowerShell Execution

High Open

ALR-00433 · 2026-05-24T16:40:23Z

Description

Encoded PowerShell command executed on VM-DEV-01 by user 'system'. Command attempts to download and execute remote payload. Flagged by Attack Surface Scanner.

Alert Metadata

Alert ID: ALR-00433
Timestamp: 2026-05-24T16:40:23Z
Severity: High
Status: Open
Detection Source: Attack Surface Scanner
Assigned Analyst: James Okonkwo

Endpoint Information

Hostname: VM-DEV-01
User Account: system
Source IP: 91.66.195.147
Destination IP: 10.0.33.183
Origin Country: CN China

MITRE ATT&CK Mapping

Tactic: Execution
Technique: T1059.001
Reference: attack.mitre.org/techniques/T1059.001

Investigation Timeline

16:40:23 Event ingested by SOC365 Engine

16:40:24 EmilyAI triage started — correlation enrichment

16:40:36 EmilyAI confidence: 83% — escalated to human analyst

16:40:46 Alert assigned to analyst: James Okonkwo

16:41:18 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00427	18h ago	Suspicious PowerShell Execution	Informational	False Positive	WS-MAC-005
ALR-00182	22h ago	Pass-the-Hash Detected	Medium	Resolved	VM-DEV-01
ALR-00371	1d ago	Privilege Escalation Attempt	Medium	Investigating	VM-DEV-01
ALR-00277	1d ago	Shadow IT Discovery	Low	False Positive	VM-DEV-01
ALR-00180	1d ago	Phishing Email Blocked	Medium	Resolved	VM-DEV-01