During a recent Red Blue hands-on lab, I conducted a simulated attack on an isolated AD DS domain controller and Windows device. The focus was on utilizing a malicious PowerShell script with process injection to investigate, remediate, and resolve the multi-stage incident involving Execution & Command and control on one endpoint effectively through threat hunting activity.

Key points :

- Investigating the incident for the simulated attack

- Reviewing generated alerts

- Performing automated and manual investigation and remediation

- Resolving the incident

- Prioritizing incidents

- Managing incidents

- Exploring automated investigation and response with the Action center

- Utilizing advanced hunting techniques

- Receiving expert training on advanced hunting scenarios

To enhance security measures, Unified Security Operations with Microsoft Sentinel, Defender XDR, and Security Copilot were leveraged for comprehensive security and automatic attack disruption.