Project case study

Password Spray Threat Hunt: RDP Compromise Investigation

A Microsoft Defender and Sentinel-style threat hunt reconstructing a cyber-range Windows VM compromise from password-spray-driven RDP access through execution, persistence, evasion, C2, and attempted exfiltration.

Threat hunt chain

159.26.106.84

Source IP

slflare

Compromised Account

MicrosoftUpdateSync

Persistence Artifact

Attempted

Exfil Status

Problem

A cloud-hosted Windows VM in a cyber range showed activity consistent with password-spray-driven compromise over RDP. The hunt needed to identify the attacker source, compromised account, execution artifacts, persistence, evasion, discovery, collection, C2, and exfiltration attempt.

Approach

  • Investigated RDP logon activity against devices matching the target environment.
  • Pivoted from successful logon events into process execution by the compromised account.
  • Queried suspicious execution from user-writable paths such as Public, Temp, and Downloads.
  • Reviewed scheduled task creation for persistence and registry changes for Defender exclusions.
  • Searched discovery commands, archive creation, and outbound network activity tied to C2 and exfiltration indicators.
  • Mapped observed behavior to MITRE ATT&CK techniques.

Evidence

  • The repository includes a full threat hunt report with executive summary, scope, reconstructed attack flow, ATT&CK mapping, flag-by-flag findings, KQL queries, screenshots, detection gaps, and recommendations.
  • KQL evidence uses DeviceLogonEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceFileEvents, and DeviceNetworkEvents.
  • Documented artifacts include source IP 159.26.106.84, compromised account slflare, endpoint slflarewinsysmo, msupdate.exe, MicrosoftUpdateSync scheduled task, Defender exclusion path C:\Windows\Temp, backup_sync.zip, and destination 185.92.220.87:8081.
  • The repository supports attempted exfiltration, not confirmed successful data theft.

Outcome

The investigation reconstructs a complete cyber-range attack chain and preserves reproducible KQL for major findings, including an attempted exfiltration path. It does not claim real-world containment or confirmed data theft.

What I learned

  • Successful RDP logons can become the pivot point for a full endpoint investigation.
  • Process, registry, file, identity, and network telemetry need to be correlated to build a reliable attack timeline.
  • Scheduled tasks, Defender exclusions, discovery commands, archive creation, and outbound connections can form a defensible intrusion narrative.