Role alignment
SecOps Analyst / SOC Analyst / Threat Detection Analyst
Executive summary
Microsoft Defender and Sentinel-style threat hunt that reconstructs a cyber-range Windows VM compromise from password-spray RDP access through execution, persistence, evasion, C2, and attempted exfiltration.
Hiring relevance
The RDP compromise investigation shows the ability to pivot across endpoint telemetry, explain what the evidence supports, and separate confirmed activity from unsupported assumptions.
Full technical write-up available
This portfolio page summarizes the project for hiring review. Use the Evidence Links section to read the full technical write-up and review the supporting project artifacts.
159.26.106.84
Source IP
slflare
Compromised Account
MicrosoftUpdateSync
Persistence Artifact
Attempted
Exfil Status
Problem
A cloud-hosted Windows VM in a cyber range showed activity consistent with password-spray-driven compromise over RDP. The hunt needed to identify the attacker source, compromised account, execution artifacts, persistence, evasion, discovery, collection, C2, and exfiltration attempt.
Environment / Tools
Approach
- 1Investigated RDP logon activity against devices matching the target environment.
- 2Pivoted from successful logon events into process execution by the compromised account.
- 3Queried suspicious execution from user-writable paths such as Public, Temp, and Downloads.
- 4Reviewed scheduled task creation for persistence and registry changes for Defender exclusions.
- 5Searched discovery commands, archive creation, and outbound network activity tied to C2 and exfiltration indicators.
- 6Mapped observed behavior to MITRE ATT&CK techniques.
Evidence
- The repository includes a full threat hunt report with executive summary, scope, reconstructed attack flow, ATT&CK mapping, flag-by-flag findings, KQL queries, screenshots, detection gaps, and recommendations.
- KQL evidence uses DeviceLogonEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceFileEvents, and DeviceNetworkEvents.
- Documented artifacts include source IP 159.26.106.84, compromised account slflare, endpoint slflarewinsysmo, msupdate.exe, MicrosoftUpdateSync scheduled task, Defender exclusion path C:\Windows\Temp, backup_sync.zip, and destination 185.92.220.87:8081.
- The repository supports attempted exfiltration, not confirmed successful data theft.
KQL investigation pivots
- 1.DeviceLogonEvents: identify RDP activity and compromised account
- 2.DeviceProcessEvents: pivot into suspicious execution
- 3.DeviceEvents: review scheduled task creation
- 4.DeviceRegistryEvents: identify Defender exclusion changes
- 5.DeviceFileEvents: locate archive creation and staging
- 6.DeviceNetworkEvents: correlate C2 and exfiltration destination
- 7.MITRE ATT&CK: map password spraying, valid accounts, persistence, evasion, discovery, collection, C2, and exfiltration
Result
The investigation reconstructs a complete cyber-range attack chain and preserves reproducible KQL for major findings, including an attempted exfiltration path. It does not claim real-world containment or confirmed data theft.
What I learned
- Successful RDP logons can become the pivot point for a full endpoint investigation.
- Process, registry, file, identity, and network telemetry need to be correlated to build a reliable attack timeline.
- Scheduled tasks, Defender exclusions, discovery commands, archive creation, and outbound connections can form a defensible intrusion narrative.