Skip to content

Project case study

Password Spray Threat Hunt: RDP Compromise Investigation

Microsoft Defender and Sentinel-style threat hunt that reconstructs a cyber-range Windows VM compromise from password-spray RDP access through execution, persistence, evasion, C2, and attempted exfiltration.

Role alignment

SecOps Analyst / SOC Analyst / Threat Detection Analyst

Executive summary

Microsoft Defender and Sentinel-style threat hunt that reconstructs a cyber-range Windows VM compromise from password-spray RDP access through execution, persistence, evasion, C2, and attempted exfiltration.

Hiring relevance

The RDP compromise investigation shows the ability to pivot across endpoint telemetry, explain what the evidence supports, and separate confirmed activity from unsupported assumptions.

Full technical write-up available

This portfolio page summarizes the project for hiring review. Use the Evidence Links section to read the full technical write-up and review the supporting project artifacts.

159.26.106.84

Source IP

slflare

Compromised Account

MicrosoftUpdateSync

Persistence Artifact

Attempted

Exfil Status

Problem

A cloud-hosted Windows VM in a cyber range showed activity consistent with password-spray-driven compromise over RDP. The hunt needed to identify the attacker source, compromised account, execution artifacts, persistence, evasion, discovery, collection, C2, and exfiltration attempt.

Environment / Tools

MDE Advanced HuntingMicrosoft SentinelMicrosoft Defender for EndpointSIEMKQLMITRE ATT&CK

Approach

  1. 1Investigated RDP logon activity against devices matching the target environment.
  2. 2Pivoted from successful logon events into process execution by the compromised account.
  3. 3Queried suspicious execution from user-writable paths such as Public, Temp, and Downloads.
  4. 4Reviewed scheduled task creation for persistence and registry changes for Defender exclusions.
  5. 5Searched discovery commands, archive creation, and outbound network activity tied to C2 and exfiltration indicators.
  6. 6Mapped observed behavior to MITRE ATT&CK techniques.

Evidence

  • The repository includes a full threat hunt report with executive summary, scope, reconstructed attack flow, ATT&CK mapping, flag-by-flag findings, KQL queries, screenshots, detection gaps, and recommendations.
  • KQL evidence uses DeviceLogonEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceFileEvents, and DeviceNetworkEvents.
  • Documented artifacts include source IP 159.26.106.84, compromised account slflare, endpoint slflarewinsysmo, msupdate.exe, MicrosoftUpdateSync scheduled task, Defender exclusion path C:\Windows\Temp, backup_sync.zip, and destination 185.92.220.87:8081.
  • The repository supports attempted exfiltration, not confirmed successful data theft.

KQL investigation pivots

  1. 1.DeviceLogonEvents: identify RDP activity and compromised account
  2. 2.DeviceProcessEvents: pivot into suspicious execution
  3. 3.DeviceEvents: review scheduled task creation
  4. 4.DeviceRegistryEvents: identify Defender exclusion changes
  5. 5.DeviceFileEvents: locate archive creation and staging
  6. 6.DeviceNetworkEvents: correlate C2 and exfiltration destination
  7. 7.MITRE ATT&CK: map password spraying, valid accounts, persistence, evasion, discovery, collection, C2, and exfiltration

Result

The investigation reconstructs a complete cyber-range attack chain and preserves reproducible KQL for major findings, including an attempted exfiltration path. It does not claim real-world containment or confirmed data theft.

What I learned

  • Successful RDP logons can become the pivot point for a full endpoint investigation.
  • Process, registry, file, identity, and network telemetry need to be correlated to build a reliable attack timeline.
  • Scheduled tasks, Defender exclusions, discovery commands, archive creation, and outbound connections can form a defensible intrusion narrative.