Team Communications
Channels
Team Channels
blue-team-general
blue-team-soc
3
incident-response
12
Direct Messages
1
SC
Sarah Chen
MJ
Mike Johnson
DP
David Park
blue-team-general
Blue Team collaboration channelSC
Sarah Chen
10:45 AM
Hey team, I'm seeing some suspicious PowerShell activity on WKS-CLIENT-042. Anyone else picking this up?
MJ
Mike Johnson
10:47 AM
@Sarah Chen Yes! I just got an alert for encoded PowerShell commands. Let me pull the logs.
powershell.exe -enc SGVsbG8gV29ybGQK
Base64 decoded: "Hello World"
DP
You
10:50 AM
I'll create a detection rule for this. Give me 5 minutes.
SC
Sarah Chen
10:52 AM
Thanks! Also, I've isolated the affected endpoint and initiated memory dump collection.
memory_dump_WKS042.zip
512 MB
MJ
Mike Johnson
10:55 AM
Perfect! I'll start forensic analysis. Created incident case INC-042.
Here's the MITRE mapping so far:
T1059.001
T1027
T1003
DP
You
10:58 AM
Detection rule deployed! It's now monitoring all endpoints.
title: PowerShell Encoded Command Execution
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- ' -enc '
- ' -encodedcommand '
condition: selection
level: high
Sarah Chen is typing...
@username to mention, Shift+Enter for new line
Online (8)
Blue Team (5)
SC
Sarah Chen
SOC Analyst
MJ
Mike Johnson
IR Analyst
DP
David Park
Threat Hunter
ER
Emma Roberts
Forensics
JW
James Wilson
Detection Eng.
Red Team (3)
AK
Alex Kim
Penetration Tester
ER
Emily Rodriguez
Exploit Dev.
TM
Tom Martinez
Social Engineer