Real alerts. Real verdicts.
Written by the agent that worked them.

A CrowdStrike Falcon alert on a designated red team test host (ws-001) detected a PowerShell execution chain with execution policy bypass targeting a MITRE-named script. Investigation confirmed the activity as authorized security testing, not a genuine threat.

Manufacturing workstation ws-001 shows strong multi-stage compromise evidence: malicious persistence installation via Startup folder, process injection into system processes, C2 communication via DGA domains and non-standard port 447, and re-execution of the same malicious binary 66 hours later. The attacker maintained a foothold despite CrowdStrike's quarantine actions.

An attacker used a stolen session token to access a director's Exchange mailbox from an anonymous proxy IP, executing 81 operations including a covert inbox rule designed to intercept emails from specific external contacts. Administrator confirmation and HIBP breach data corroborate the account compromise.

An attacker conducted a coordinated account takeover campaign against a Honduras-based employee, successfully passing MFA to unlock the account twice via self-service password reset but failing to change the password or sign in due to Conditional Access policies and password complexity controls.

A sophisticated web server compromise was detected on IIS servers ws-001 and ws-002 between March 22-23, 2026. The attacker exploited web application vulnerabilities to execute commands through w3wp.exe, attempting reconnaissance and malware download from an external IP. Microsoft Defender blocked all post-exploitation activities.

Microsoft Defender detected Trojan:BAT/Starter.G!lnk malware on endpoint ws-001 with suspicious domain administrator remote access preceding detection. The malware appeared on 9 organizational endpoints with polymorphic naming patterns and low global prevalence, indicating a targeted attack.

A malicious executable with a deceptive double extension (.TXT.exe) was executed from a network share on a manufacturing workstation in Thailand and immediately established communication with an external server in Luxembourg, indicating successful malware deployment through social engineering.

Workstation ws-001 in a manufacturing facility was actively compromised by malware exhibiting ransomware behavior, DLL side-loading persistence, and security tool tampering. CrowdStrike Falcon detected all malicious activities but operated in detect-only mode, allowing the threat to run unimpeded for three days.

Manufacturing workstation ws-001 was compromised through a coordinated multi-stage attack involving DameWare deployment via SMB, execution of a purpose-built registry toolkit targeting 186 security tool keys, and successful establishment of persistence and credential harvesting infrastructure.

Microsoft Defender detected Adsunwan malware disguised as ZoomInfo software in a corporate user's Downloads folder. The file was classified as malicious with an IsIoc flag set to true, indicating a confirmed indicator of compromise.

Valid credentials for a Philippines-based user were used in an authentication attempt from a Luxembourg hosting provider IP on February 25, 2026. Conditional Access policies blocked the attempt, preventing account access.

A persistent credential theft campaign targeting user_1@[INTERNAL_DOMAIN_1].com with 35 failed authentication attempts from 23 IP addresses across 15 countries was successfully blocked by conditional access policies, though the account remains at elevated risk due to absent MFA.

A hardware engineering technologist's account was compromised via phishing on February 19, leading to spam email sending, 30 DLP policy violations involving sensitive technical specifications, and Bearfoos malware execution on February 20. Microsoft Defender blocked the malware, but prior data access attempts indicate successful unauthorized access to engineering intellectual property.

Microsoft Defender detected Wacatac malware in ExpressionEngine Freeform plugin files downloaded by a user. The malicious PHP script was found in multiple plugin directories with extremely low global prevalence, suggesting a potential supply chain compromise.

Microsoft Defender for Office 365 detected and quarantined a sophisticated phishing email spoofing an internal address with malicious attachments. The email used intentional misspellings and impersonation tactics as part of a broader campaign.

Analysis of Okta authentication logs reveals account user_1 was compromised and used to access Alpha from 16 successful logins across 7 countries via VPN, with 81.25% flagged as high-risk and physically impossible travel patterns detected.

Microsoft Defender detected and blocked Trojan:Win32/Kepavll!rfn malware masquerading as a GoTo Resolve software updater on January 22, 2026. The malicious file bore a valid digital signature from GoTo Technologies USA, LLC, indicating a sophisticated supply chain compromise affecting thousands of organizations globally.

Microsoft Defender detected Trojan:Win32/Vigorf.A and Trojan:Win32/Malgent!MSR across four corporate devices. Security controls successfully prevented execution, with no evidence of system compromise or credential theft.

A Windows 11 laptop belonging to user_1 was compromised by sophisticated malware employing process hollowing, code injection, and memory manipulation. SentinelOne detected a multi-stage attack chain initiated by a malicious JavaScript file, with the threat marked as not mitigated and the agent pending uninstallation.

A coordinated phishing campaign targeted multiple [ORG_1] employees using email spoofing, Google Maps URL redirects, and personalized tracking parameters. Investigation confirmed 19 similar emails with identical body fingerprints, indicating campaign-scale attack with no evidence of successful compromise.

Microsoft Defender XDR identified three distinct malware families (TurtleLoader, Leivion, Obfuscator) on Windows Server 2019 system 'ws-001.[INTERNAL_DOMAIN_1].local' in cache directories. No execution evidence was found, but the system's role as a management server with elevated access privileges amplifies the risk.