Incident Response: Investigate a Simulated APT Attack

📋 Overview

About This Lab

In this advanced hands-on lab you will walk through a complete incident response (IR) lifecycle inside Microsoft Defender XDR. You will investigate a multi-stage Advanced Persistent Threat (APT) attack that spans email, endpoint, identity, and cloud application vectors. Beginning with initial alert triage in the incident queue, you will reconstruct the full attack timeline, correlate evidence across all four Defender workloads, execute containment and eradication actions, guide recovery, and produce a post-incident review with actionable recommendations. Every step mirrors the workflow a Tier-2 / Tier-3 SOC analyst would follow in a real-world breach investigation.

🏢 Enterprise Use Case

Globex Corporation is a multinational financial services company with 12,000 employees across 15 countries. On a Monday morning the SOC receives a high-severity incident in Defender XDR that correlates alerts from Defender for Office 365, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps. Initial indicators suggest an advanced threat actor: designated STRONTIUM / APT28 in MITRE ATT&CK: has launched a multi-stage campaign: a spear-phishing email delivered a weaponized document to a finance director, which executed a macro-based payload, established persistence via a scheduled task, harvested credentials through LSASS memory access, moved laterally to a domain controller, and exfiltrated sensitive data to a cloud storage service. Your mission is to investigate, contain, eradicate, and recover: all within the unified Defender XDR portal.

🎯 What You Will Learn

Map a multi-stage APT attack to the MITRE ATT&CK framework and the cyber kill chain
Triage, assess severity, and assign incidents in the Defender XDR incident queue
Reconstruct the full attack timeline using the incident graph, alert story, and entity details
Investigate the email vector using Threat Explorer and the email entity page
Analyze endpoint compromise through the device timeline, process tree, and file entity page
Detect identity compromise via sign-in anomalies, credential theft indicators, and lateral movement paths
Trace lateral movement and cloud application abuse across multiple devices and workloads
Execute containment actions: device isolation, user disablement, indicator blocking, and session revocation
Perform eradication and recovery: remove persistence mechanisms, reset credentials, and restore operations
Produce a post-incident review with MITRE ATT&CK mapping, lessons learned, and detection rule improvements

🔑 Why This Matters

APT attacks are not single-alert events: they are coordinated campaigns that unfold across multiple vectors over hours or days. Investigating them in siloed tools leads to slow response times, missed evidence, and incomplete remediation. Microsoft Defender XDR unifies telemetry from endpoints, email, identity, and cloud apps into a single incident, enabling analysts to see the complete attack story and respond decisively. This lab trains you to leverage that unified view, correlate evidence across workloads, and execute the full IR lifecycle: skills that directly translate to faster mean-time-to-respond (MTTR) and reduced breach impact in production environments.

⚙️ Prerequisites

Required Licenses

Microsoft 365 E5 (includes Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps)
Microsoft Defender XDR unified portal access
Microsoft Entra ID P2 (for Identity Protection and sign-in risk policies)

Required Roles

Security Administrator in Microsoft Entra ID (for full investigation and response capabilities)
Security Operator (minimum for containment actions: device isolation, user disablement)
Global Reader or Security Reader (for read-only investigation if performing this lab in a shared tenant)

Environment Requirements

A modern browser (Edge, Chrome) with access to security.microsoft.com
At least two Windows devices onboarded to Microsoft Defender for Endpoint with active sensor data
Microsoft Defender for Identity sensor deployed on at least one domain controller
Microsoft Defender for Office 365 configured with mail flow to your tenant
Microsoft Defender for Cloud Apps connected with at least one cloud app (e.g., Microsoft 365, Salesforce, Box)
PowerShell 5.1+ and the Microsoft.Graph module for remediation scripts

⚠️ Important: This lab involves containment actions (device isolation, user disablement, session revocation) that will impact the targeted accounts and devices. Only perform these actions in a dedicated lab or test environment. Never isolate production devices or disable production accounts without proper change-control authorization.

Step 1 · Understand the APT Attack Scenario

Before diving into investigation, you need a clear mental model of the attack you are hunting. This simulated APT follows the classic cyber kill chain and maps directly to MITRE ATT&CK tactics and techniques. Understanding the expected attack flow lets you prioritize your investigation and recognize evidence when you encounter it.

Kill Chain Walkthrough

The simulated attack proceeds through these phases:

Phase 1: Initial Access (T1566.001): A spear-phishing email with a weaponized Word document is delivered to j.smith@globex.com (Finance Director). The email impersonates a known vendor and references an overdue invoice.
Phase 2: Execution (T1204.002 / T1059.001): The user opens the attachment and enables macros. The macro launches a PowerShell download cradle that fetches a second-stage payload from update-service[.]cc.
Phase 3: Persistence (T1053.005): The payload creates a scheduled task named WindowsUpdateCheck that runs every 4 hours, ensuring the implant survives reboot.
Phase 4: Credential Access (T1003.001): The implant uses Invoke-Mimikatz or direct LSASS memory access to harvest NTLM hashes and Kerberos tickets from the compromised endpoint.
Phase 5: Lateral Movement (T1021.002 / T1047): Using stolen credentials, the attacker moves laterally via SMB and WMI to a domain controller (DC01) and a file server (FS02).
Phase 6: Collection & Exfiltration (T1560.001 / T1567.002): Sensitive financial documents are compressed into a password-protected ZIP archive and exfiltrated to a cloud storage service (Box) using a compromised OAuth token.

MITRE ATT&CK Mapping

Use the following KQL query to view MITRE ATT&CK technique tags on alerts in the current incident:

// LIST MITRE ATT&CK TECHNIQUES across all alerts (last 7 days)
// Purpose: Identify which adversary techniques are most active in your environment
//   and validate that alerts map to specific ATT&CK techniques.
//
// How it works:
//   1. Filters AlertInfo to only alerts that have ATT&CK technique tags
//   2. Parses the AttackTechniques JSON array into individual rows (mv-expand)
//   3. Counts alerts per technique and shows associated alert titles
//
// Output columns:
//   Technique  – ATT&CK technique ID (e.g., T1566.001, T1059.001)
//   AlertCount – how many alerts mapped to this technique
//   Titles     – list of alert names for context
// A multi-technique incident spanning Initial Access through Exfiltration
// signals a coordinated APT attack rather than commodity malware.
AlertInfo
| where Timestamp > ago(7d)
| where AttackTechniques != ""
| extend Techniques = parse_json(AttackTechniques)
| mv-expand Technique = Techniques
| summarize AlertCount = count(), Titles = make_set(Title) by tostring(Technique)
| sort by AlertCount desc

💡 Pro Tip: Print or bookmark the MITRE ATT&CK page for APT28 before starting. Having the full technique list alongside your investigation helps you systematically check off each expected phase and spot any activities that extend beyond the known playbook.

Step 2 · Review the Initial Alert in the Incident Queue

The incident queue is your starting point. Defender XDR automatically correlates related alerts from all workloads into a single incident. Your first task is to locate the incident, assess its severity, and take ownership.

Navigate to the Incident Queue

Open the Microsoft Defender portal at security.microsoft.com
In the left navigation click Incidents & alerts → Incidents
Apply filters: set Severity to High and Status to New
Look for an incident that correlates alerts from multiple sources (e.g., “Multi-stage incident involving phishing and credential theft on one endpoint”)
Click the incident name to open the incident detail page

Triage and Severity Assessment

Review the Incident summary card: note the number of correlated alerts, impacted entities (users, devices, mailboxes), and detection sources
Check the MITRE ATT&CK techniques tag: a multi-technique incident spanning Initial Access through Exfiltration signals an APT
Evaluate the Automated investigation status: note whether AIR has already started and what actions are pending analyst approval
Confirm severity: if the incident involves credential theft + lateral movement + exfiltration, escalate to High or Critical if not already

Assign the Incident

Click Manage incident (top-right of the incident page)
Set Assign to to your analyst account
Set Classification to True positive: Threat (you will validate this during investigation)
Add relevant tags: APT, IR-Active, Phishing, Credential-Theft
Set Status to In progress
Click Save

Query Incident Details via KQL

Use Advanced Hunting to gather a consolidated view of all alerts correlated to the incident:

// CONSOLIDATED ALERT VIEW for the target incident
// Purpose: Get all alerts correlated to an incident in one table,
//   including the evidence entities attached to each alert.
//
// How it works:
//   Inner join of AlertInfo + AlertEvidence on AlertId links each alert
//   to its evidence (devices, users, files, IPs, URLs involved).
//   Title filter narrows to alerts related to the attack phases.
//
// Output columns:
//   Title             – alert name describing the detection
//   Category          – MITRE tactic (InitialAccess, Execution, LateralMovement, etc.)
//   EntityType        – type of evidence (Device, User, File, IP, URL)
//   RemediationStatus – whether automated remediation has addressed this alert
//   DetectionSource   – which Defender product generated the alert
// Sort by Timestamp ascending to see the attack progression chronologically.
AlertInfo
| where Timestamp > ago(7d)
| join kind=inner (
    AlertEvidence
    | where Timestamp > ago(7d)
  ) on AlertId
| where Title has_any ("phishing", "credential", "lateral", "exfiltration", "suspicious")
| project Timestamp, AlertId, Title, Severity, Category,
          EntityType, RemediationStatus, DetectionSource
| sort by Timestamp asc

💡 Pro Tip: Always assign the incident to yourself before starting investigation. This prevents duplicate effort by other analysts and creates an audit trail. Use the Comments section on the incident page to document your hypothesis and investigation progress as you go.

Step 3 · Investigate the Attack Timeline

The attack timeline reconstructs the sequence of events across all workloads. Using the incident graph, alert story, and entity details you will build a chronological narrative of how the attack unfolded: from the initial phishing email to data exfiltration.

Use the Incident Graph

On the incident detail page click the Attack story tab
Review the visual graph that shows relationships between alerts, users, devices, mailboxes, and files
Identify the root node: this is typically the initial email or first endpoint alert
Trace the path from the root node through each subsequent alert to understand the attack progression
Click on each node to expand entity details: device name, user account, file hash, or URL
Note the timestamps on each node to establish the exact chronology

Review the Alert Story

Click the Alerts tab on the incident page
Sort alerts by Timestamp (oldest first) to see the attack in chronological order
For each alert, note: Detection source (MDO, MDE, MDI, MDA), Category (Initial Access, Execution, Persistence, etc.), and Impacted entities
Click into the first alert to read the Alert story: this shows the process tree, network connections, and file operations that triggered the detection

Build a Timeline Query

Use Advanced Hunting to construct a unified cross-workload timeline for the compromised user:

// ============================================================
// CROSS-WORKLOAD INVESTIGATION TIMELINE
// Purpose: Build a unified chronological view of ALL activity for the
//   compromised user across Email, Endpoint, Identity, and Cloud Apps.
//   This is the most important query during incident investigation.
//
// How it works:
//   - union combines 4 sub-queries (one per Defender product)
//   - Each sub-query targets the same user and 48h investigation window
//   - Workload column identifies the source product
//   - Action column provides a human-readable event summary
//   - Results sorted chronologically to reveal the attack narrative
//
// Reading the output:
//   MDO row first → phishing email was the entry point
//   MDE rows after → process execution on the endpoint (payload)
//   MDI rows → credential usage on other devices (lateral movement)
//   MDA rows → cloud app access (data exfiltration)
// ============================================================
let targetUser = "j.smith@globex.com";
let investigationWindow = ago(48h);
// Email events: phishing delivery and any other mail to/from target
EmailEvents
| where Timestamp > investigationWindow
| where RecipientEmailAddress =~ targetUser
| project Timestamp, Workload = "MDO", Action = strcat("Email: ", Subject),
          Detail = SenderFromAddress, Entity = RecipientEmailAddress
| union (
  // Endpoint process events: commands executed on devices by target user
  DeviceProcessEvents
  | where Timestamp > investigationWindow
  | where AccountUpn =~ targetUser
  | project Timestamp, Workload = "MDE", Action = strcat("Process: ", FileName),
            Detail = ProcessCommandLine, Entity = DeviceName
)
| union (
  // Identity logon events: authentication attempts by target user
  // DeviceName = source device, DestinationDeviceName = target device
  IdentityLogonEvents
  | where Timestamp > investigationWindow
  | where AccountUpn =~ targetUser
  | project Timestamp, Workload = "MDI", Action = strcat("Logon: ", LogonType),
            Detail = strcat(DeviceName, " → ", DestinationDeviceName), Entity = AccountUpn
)
| union (
  // Cloud app activity: SaaS application usage (file access, uploads, sharing)
  CloudAppEvents
  | where Timestamp > investigationWindow
  | where AccountId =~ targetUser
  | project Timestamp, Workload = "MDA", Action = strcat("CloudApp: ", ActionType),
            Detail = Application, Entity = AccountId
)
| sort by Timestamp asc

💡 Pro Tip: Export the unified timeline to CSV and paste it into a spreadsheet. Color-code each workload (MDO = blue, MDE = red, MDI = yellow, MDA = purple) to create a visual representation of the attack that you can include in your incident report.

Step 4 · Deep Dive: Email Vector Analysis

The phishing email is the entry point of this attack. In this step you will use Defender for Office 365 capabilities: Threat Explorer and the email entity page: to fully analyze the malicious message, understand why it bypassed filters, and determine if additional recipients were targeted.

Investigate with Threat Explorer

Navigate to Email & collaboration → Explorer in the left navigation
Set the view to All email and the time range to the past 48 hours
In the Sender address filter, enter the suspected sender domain (e.g., vendor-invoices[.]cc)
Review the results: note the Subject, Delivery action (Delivered, Junked, Blocked), and Detection technology
Click on the email to open the Email entity page

Analyze the Email Entity Page

Review the Analysis tab: check SPF, DKIM, and DMARC results: a spoofed sender will typically fail authentication
Examine the Attachments section: note the file name, file type, SHA256 hash, and detonation verdict
Check the URLs section: note any embedded URLs, their reputation, and detonation results
Review Similar emails: determine if the same sender or subject targeted other users in the organization
Note the Delivery location: if the email landed in the Inbox, this indicates a gap in your email filtering policies

Hunt for Additional Phishing Deliveries

Use Advanced Hunting to find all emails from the same sender domain and identify other potential victims:

// HUNT FOR ADDITIONAL PHISHING TARGETS from the same sender domain
// Purpose: Determine if the phishing campaign targeted other users beyond
//   the known victim. Other recipients may have also opened the email.
// Replace "vendor-invoices.cc" with the actual malicious sender domain.
// Output: Each row = an email from the phishing domain
//   DeliveryAction = "Delivered" means the email reached the inbox
//   DeliveryAction = "Blocked" means filtering caught it
// If additional users received delivered emails, check their identity
// and endpoint telemetry for post-compromise activity.
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain =~ "vendor-invoices.cc"
    or SenderMailFromDomain =~ "vendor-invoices.cc"
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          Subject, DeliveryAction, DeliveryLocation,
          ThreatTypes, DetectionMethods
| sort by Timestamp asc

Check Attachment Detonation Results

// CORRELATE EMAIL ATTACHMENTS with endpoint file creation
// Purpose: Determine if the malicious attachment was saved/opened on any endpoint.
// How it works:
//   1. Gets all attachments from the phishing sender domain
//   2. Left outer joins with DeviceFileEvents on SHA256 hash
//   3. If a match exists, the file was written to disk on that device
//
// Output columns:
//   SHA256        – file hash (search in VirusTotal for malware classification)
//   DeviceName    – if populated, the file was opened/saved on this endpoint
//   FolderPath    – where the file was saved (Downloads, Temp = user opened it)
// A NULL DeviceName means the attachment was in the email but not opened.
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where SenderFromDomain =~ "vendor-invoices.cc"
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256,
          ThreatTypes, DetectionMethods
| join kind=leftouter (
    DeviceFileEvents
    | where Timestamp > ago(7d)
    | where ActionType == "FileCreated"
    | project SHA256, DeviceName, FolderPath, FileName
  ) on SHA256

⚠️ Important: If the phishing email was delivered to additional recipients beyond your initial victim, escalate the incident scope immediately. Use the Soft delete action in Threat Explorer to remove the malicious email from all recipient mailboxes before they open it.

Step 5 · Deep Dive: Endpoint Compromise

Once the phishing email delivered its payload, the attack moved to the endpoint. In this step you will use the device timeline, process tree, and file entity page to trace exactly what happened on the compromised workstation after the user opened the malicious attachment.

Investigate the Device Timeline

From the incident page, click the affected device (e.g., WS-FINANCE-01) to open the Device page
Click the Timeline tab and set the time range to cover the attack window (e.g., past 48 hours)
Filter by Event types: select Process creations, File operations, Network connections, and Registry modifications
Look for the chain: WINWORD.EXE → cmd.exe → powershell.exe: this indicates macro execution launching a PowerShell payload
Expand each process node to view the full command line, file path, and parent process
Note any network connections initiated by the PowerShell process: these indicate C2 communication or payload download

Analyze the Process Tree

Click on the alert associated with the endpoint compromise to view the Alert story
In the process tree, identify the complete execution chain from WINWORD.EXE to the final payload
Look for suspicious child processes: powershell.exe with encoded commands, certutil.exe for file download, schtasks.exe for persistence
Right-click on any suspicious file → Go to file page to view prevalence, global first/last seen, and VirusTotal results

Hunt for Execution and Persistence Artifacts

// TRACE THE MACRO ATTACK CHAIN: Word → cmd → PowerShell → payload
// MITRE ATT&CK: T1204.002 (User Execution: Malicious File)
//               T1059.001 (PowerShell) + T1059.003 (Windows Command Shell)
// Purpose: Reconstruct the exact process execution chain on the compromised
//   endpoint after the user opened the malicious Word document.
//
// Detection logic:
//   1. WINWORD.EXE as InitiatingProcessFileName = macro launched a process
//   2. cmd.exe as InitiatingProcessFileName = command shell launched by macro
//   3. FileName matches interpreters or LOLBins = payload execution
//
// The process chain reveals the attack vector:
//   WINWORD.EXE → cmd.exe → powershell.exe -enc [base64] = classic macro attack
//   WINWORD.EXE → mshta.exe = HTML Application payload
//   WINWORD.EXE → certutil.exe -urlcache = file download via LOLBin
DeviceProcessEvents
| where Timestamp > ago(48h)
| where DeviceName =~ "WS-FINANCE-01"
| where InitiatingProcessFileName =~ "WINWORD.EXE"
    or InitiatingProcessFileName =~ "cmd.exe"
    or FileName in~ ("powershell.exe", "pwsh.exe", "certutil.exe", "schtasks.exe", "mshta.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          AccountName, SHA256
| sort by Timestamp asc

Detect Scheduled Task Persistence

// DETECT MALICIOUS SCHEDULED TASK PERSISTENCE
// MITRE ATT&CK: T1053.005 (Scheduled Task/Job: Scheduled Task)
// Purpose: Attackers create scheduled tasks to survive reboots and maintain
//   persistent access. Common disguise names mimic Windows Update or browser updates.
//
// How it works:
//   Filters DeviceEvents for ScheduledTaskCreated action type on the target device.
//   Parses AdditionalFields JSON to extract TaskName and TaskContent (the command).
//   Filters for suspicious task names that impersonate legitimate Windows services.
//
// Suspicious task names to look for:
//   "WindowsUpdateCheck" / "SystemHealthMonitor" / "ChromeUpdate" = common attacker names
//   Real Windows tasks have specific naming patterns (e.g., "\Microsoft\Windows\...")
// Check TaskContent for the actual command – PowerShell or executable paths confirm malice.
DeviceEvents
| where Timestamp > ago(48h)
| where DeviceName =~ "WS-FINANCE-01"
| where ActionType == "ScheduledTaskCreated"
| project Timestamp, DeviceName, ActionType,
          AdditionalFields = parse_json(AdditionalFields)
| extend TaskName = tostring(AdditionalFields.TaskName),
         TaskContent = tostring(AdditionalFields.TaskContent)
| where TaskName has_any ("WindowsUpdateCheck", "SystemHealthMonitor", "ChromeUpdate")

Investigate File Drops

// DETECT MALWARE FILE DROPS from the attack process chain
// MITRE ATT&CK: T1105 (Ingress Tool Transfer)
// Purpose: Find files written to disk by the malicious processes
//   (PowerShell, cmd, certutil) that form the attack chain.
//
// Detection logic:
//   ActionType in (FileCreated, FileModified) – new or changed files
//   InitiatingProcessFileName – only files created by suspicious processes
//
// Key output columns:
//   SHA256     – file hash for VirusTotal/TI lookup and IoC blocking
//   FileSize   – very small files may be scripts; large files may be tools
//   FolderPath – files in Temp, ProgramData, or AppData\Local are suspicious;
//               files in System32 or Program Files indicate deeper compromise
// Use the SHA256 values to create block indicators in Settings → Indicators.
DeviceFileEvents
| where Timestamp > ago(48h)
| where DeviceName =~ "WS-FINANCE-01"
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
          SHA256, FileSize, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| sort by Timestamp asc

💡 Pro Tip: Use the Collect investigation package action on the device page to automatically gather forensic artifacts: running processes, network connections, autoruns, event logs, and prefetch data. This package can be downloaded as a ZIP and analyzed offline with tools like Eric Zimmerman's tools or SANS SIFT Workstation.

Step 6 · Deep Dive: Identity Compromise

After gaining initial access to the endpoint, the attacker harvested credentials. Now you need to investigate the identity vector: detecting sign-in anomalies, credential theft indicators, and evidence that stolen credentials were used to access additional resources.

Review Identity Alerts in the Incident

On the incident page, filter alerts by Detection source: Microsoft Defender for Identity
Look for alerts such as: “Suspected credential theft (LSASS access)”, “Suspected identity theft (Pass-the-Hash)”, “Honeytoken activity”
Click into each MDI alert to review the evidence chain: which process accessed LSASS, the source device, the target account
Navigate to the User page for the compromised account (j.smith) by clicking the user entity

Analyze Sign-in Anomalies

On the user entity page, review Recent sign-in activity
Look for anomalies: sign-ins from new devices, unusual locations, impossible travel, or sign-ins outside working hours
Check for failed sign-in attempts followed by success: this pattern indicates credential spray or brute force leading to a valid compromise
Review Azure AD Identity Protection risk detections for the user (if Entra ID P2 is configured)

Detect Credential Theft via KQL

// DETECT LSASS MEMORY ACCESS – Credential Dumping Indicator
// MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)
// Why: LSASS (Local Security Authority Subsystem Service) stores hashed
//   credentials in memory. Tools like Mimikatz, procdump, or direct API
//   calls access LSASS to extract NTLM hashes and Kerberos tickets.
//
// Detection logic:
//   Finds processes that access or reference lsass.exe.
//   Excludes legitimate system processes that normally interact with LSASS:
//     svchost.exe, csrss.exe, wininit.exe = Windows core processes
//     MsMpEng.exe = Defender Antivirus engine
//
// Key output:
//   InitiatingProcessFileName – WHAT accessed LSASS (if not in exclusion list,
//     it’s suspicious). Common malicious: rundll32.exe, unknown.exe, procdump.exe
//   InitiatingProcessParentFileName – what launched the accessing process
// CRITICAL: If LSASS access is confirmed, ALL credentials on that device
//   are potentially compromised (all logged-in users, service accounts, etc.)
DeviceProcessEvents
| where Timestamp > ago(48h)
| where FileName =~ "lsass.exe" or ProcessCommandLine has "lsass"
| where InitiatingProcessFileName !in~ ("svchost.exe", "csrss.exe", "wininit.exe", "MsMpEng.exe")
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          InitiatingProcessParentFileName
| sort by Timestamp asc

Identify Pass-the-Hash / Pass-the-Ticket Activity

// DETECT PASS-THE-HASH / PASS-THE-TICKET via anomalous logons
// MITRE ATT&CK: T1550.002 (Pass the Hash) / T1550.003 (Pass the Ticket)
// Purpose: After credential theft, trace how stolen credentials were used.
//   Look for logons to devices the user doesn’t normally access, unusual
//   protocols, and logon types indicating remote access.
//
// Key columns to examine:
//   LogonType:
//     Interactive       = direct console logon (normal for user’s own device)
//     RemoteInteractive = RDP session (suspicious if to a server)
//     Network           = SMB/NTLM authentication (PtH lateral movement)
//   DestinationDeviceName – where the credentials were used
//   Protocol – "NTLM" with Network logon to multiple devices = PtH
//   FailureReason – empty for success; populated for failures (brute force)
IdentityLogonEvents
| where Timestamp > ago(48h)
| where AccountUpn =~ "j.smith@globex.com"
| where LogonType in ("Interactive", "RemoteInteractive", "Network")
| project Timestamp, AccountUpn, DeviceName,
          DestinationDeviceName, LogonType,
          Application, Protocol, FailureReason
| sort by Timestamp asc

Check for Kerberos Ticket Anomalies

// DETECT KERBEROS TICKET ANOMALIES – Overpass-the-Hash / Golden Ticket
// MITRE ATT&CK: T1558 (Steal or Forge Kerberos Tickets)
// Purpose: After stealing NTLM hashes, attackers may forge Kerberos tickets
//   to access any resource without knowing the password.
//
// IdentityQueryEvents captures AD queries including Kerberos ticket requests.
// Suspicious patterns:
//   - Kerberos TGT requests from unusual devices
//   - LDAP queries for sensitive groups (Domain Admins, Enterprise Admins)
//   - Abnormal QueryTarget values (targeting service accounts or DCs)
//
// Golden Ticket indicator: if QueryType shows Kerberos activity from a
//   device where the user never normally authenticates, this may indicate
//   a forged ticket being used.
IdentityQueryEvents
| where Timestamp > ago(48h)
| where ActionType has_any ("Kerberos", "LDAP")
| where AccountUpn =~ "j.smith@globex.com"
| project Timestamp, AccountUpn, ActionType,
          DeviceName, DestinationDeviceName,
          QueryType, QueryTarget
| sort by Timestamp asc

⚠️ Important: If you detect LSASS access from a non-standard process, assume all credentials cached on that device are compromised. This includes not only the logged-on user but also any service accounts, VPN credentials, and cached domain admin tokens. Document all potentially compromised accounts for credential reset in Step 9.

Step 7 · Deep Dive: Lateral Movement & Cloud App Access

With stolen credentials in hand, the attacker moves laterally to high-value targets: domain controllers, file servers, and cloud applications. This step traces cross-device activity and identifies cloud app abuse that leads to data exfiltration.

Trace Lateral Movement via SMB and WMI

In the incident graph, look for connections between the initial compromised device (WS-FINANCE-01) and other devices (DC01, FS02)
Click on the domain controller entity to open its device page and review the timeline
Look for remote process creation events, SMB file copy activities, and service installation events
Check for MDI alerts: “Suspected lateral movement (pass-the-hash)”, “Remote code execution attempt”

Detect Cross-Device Lateral Movement

// DETECT LATERAL MOVEMENT via remote logons from compromised account
// MITRE ATT&CK: T1021.002 (Remote Services: SMB/Windows Admin Shares)
// Purpose: After credential theft, attackers use stolen credentials to
//   authenticate to other machines. This query finds logons from the
//   compromised user to devices OTHER than their primary workstation.
//
// Key filter: DestinationDeviceName !~ "WS-FINANCE-01" excludes the
//   user’s own device to focus on lateral movement to NEW devices.
// LogonType explanation:
//   RemoteInteractive = RDP session to the target (interactive control)
//   Network = SMB/NTLM authentication (file share access, PsExec, WMI)
// Each row = the compromised account accessed a different device.
// Multiple devices in a short time = active lateral movement campaign.
IdentityLogonEvents
| where Timestamp > ago(48h)
| where AccountUpn =~ "j.smith@globex.com"
| where LogonType in ("RemoteInteractive", "Network")
| where DestinationDeviceName !~ "WS-FINANCE-01" // Exclude the source device
| project Timestamp, AccountUpn, DeviceName,
          DestinationDeviceName, LogonType,
          Protocol, IPAddress
| sort by Timestamp asc

Hunt for Remote Process Execution

// DETECT REMOTE PROCESS EXECUTION on secondary target machines
// MITRE ATT&CK: T1047 (WMI) / T1569.002 (Service Execution) / T1021.006 (WinRM)
// Purpose: After lateral movement, attackers execute commands on target devices.
//   This query detects when remote execution frameworks spawn suspicious processes
//   on the domain controller (DC01) and file server (FS02).
//
// InitiatingProcessFileName values that indicate remote execution:
//   wmiprvse.exe    = WMI remote execution
//   wsmprovhost.exe = WinRM / PowerShell Remoting
//   PSEXESVC.exe    = PsExec service (created on target machine)
//   services.exe    = new service installation (SCM-based execution)
//
// Exclusion: svchost.exe and taskhostw.exe are normal child processes of
//   services.exe and shouldn’t trigger alerts.
// Output: FileName + ProcessCommandLine = what the attacker actually ran.
DeviceProcessEvents
| where Timestamp > ago(48h)
| where DeviceName in~ ("DC01", "FS02")
| where InitiatingProcessFileName in~ ("wmiprvse.exe", "wsmprovhost.exe", "PSEXESVC.exe", "services.exe")
| where FileName !in~ ("svchost.exe", "taskhostw.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName, AccountDomain
| sort by Timestamp asc

Investigate Cloud App Abuse

Navigate to Cloud apps → Activity log in the Defender portal
Filter by User: j.smith@globex.com and time range: past 48 hours
Look for unusual activities: mass file downloads, OAuth app consent, sharing files externally, uploading data to third-party cloud storage
Check for App governance alerts: “Unusual volume of file access”, “OAuth app with suspicious permissions”

Detect Data Exfiltration to Cloud Storage

// DETECT DATA EXFILTRATION via Cloud App Abuse
// MITRE ATT&CK: T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)
// Purpose: Detect when the compromised account performs bulk file operations
//   (mass downloads, external sharing, uploads to third-party storage).
//
// ActionTypes indicating exfiltration:
//   FileUploaded              – files uploaded to cloud storage (OneDrive, Box, etc.)
//   FileDownloaded            – mass downloads from SharePoint/OneDrive
//   FileSyncDownloadedFull    – full sync download (entire library)
//   SharingSet                – files shared externally (to outside recipients)
//   AddedToGroup              – added to group with access to sensitive data
//
// Threshold: EventCount > 20 per hour flags anomalous volume.
//   Normal daily operation for one user is typically < 10 file operations/hour.
//   Values > 50 strongly suggest automated/scripted data collection.
// UniqueFiles shows how many distinct files were accessed – high values = bulk exfil.
CloudAppEvents
| where Timestamp > ago(48h)
| where AccountId =~ "j.smith@globex.com"
| where ActionType in ("FileUploaded", "FileDownloaded", "FileSyncDownloadedFull",
                         "SharingSet", "AddedToGroup")
| summarize EventCount = count(),
            UniqueFiles = dcount(ObjectName),
            Apps = make_set(Application)
    by AccountId, ActionType, bin(Timestamp, 1h)
| where EventCount > 20 // Threshold for anomalous volume
| sort by Timestamp asc

Trace Network Exfiltration

// DETECT LARGE OUTBOUND DATA TRANSFERS from compromised devices
// MITRE ATT&CK: T1041 (Exfiltration Over C2 Channel) / T1048 (Exfiltration Over Alternative Protocol)
// Purpose: Detect when compromised endpoints send unusually large amounts
//   of data to public IP addresses, indicating data exfiltration.
//
// How it works:
//   1. Filters to successful outbound connections from compromised devices
//   2. RemoteIPType == "Public" excludes internal traffic (only internet-facing)
//   3. Aggregates TotalBytesSent per destination per hour
//   4. Threshold: > 50 MB (50,000,000 bytes) in a single hour is anomalous
//
// Output columns:
//   TotalBytesSent     – volume of data sent (high values = exfiltration)
//   RemoteIP/RemoteUrl – where data was sent (check threat intel / VirusTotal)
//   ConnectionCount    – many connections = beaconing or chunked transfer
//   UniqueDestinations – data sent to many IPs = distributed exfil or scanning
// Cross-reference RemoteIP with your threat intelligence feeds.
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where DeviceName in~ ("WS-FINANCE-01", "FS02")
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| summarize TotalBytesSent = sum(SentBytes),
            ConnectionCount = count(),
            UniqueDestinations = dcount(RemoteIP)
    by DeviceName, RemoteIP, RemoteUrl, bin(Timestamp, 1h)
| where TotalBytesSent > 50000000 // >50 MB threshold
| sort by TotalBytesSent desc

💡 Pro Tip: Cross-reference the RemoteIP addresses from network events with threat intelligence feeds. In Defender XDR, click on any IP address entity to view its reputation, geographic location, ASN, and whether it has been observed in other incidents across your tenant or the broader Microsoft threat intelligence graph.

Step 8 · Containment Actions

With the investigation complete and the attack scope identified, it is time to contain the threat. Containment stops the attacker from extending their reach while you prepare eradication. Speed is critical: every minute of delay gives the adversary more time to exfiltrate data or establish additional persistence.

Isolate Compromised Devices

Navigate to the Device page for WS-FINANCE-01
Click the ⋯ (more actions) menu → select Isolate device
Choose Full isolation (blocks all network traffic except Defender for Endpoint cloud service communication)
Add a comment: “IR-2026-0042: Isolating due to confirmed APT compromise. credential theft and lateral movement detected”
Click Confirm
Repeat for any additional compromised devices identified during investigation (e.g., FS02 if compromise was confirmed)

⚠️ Important: Do not isolate domain controllers unless absolutely necessary, as this disrupts authentication for the entire domain. For DC containment, coordinate with your Active Directory team and consider alternative measures such as disabling the compromised account and rotating the KRBTGT password instead.

Disable the Compromised User Account

From the incident page, click the user entity (j.smith@globex.com)
On the user page click ⋯ → Disable user in Azure AD
Alternatively, use PowerShell for faster execution across multiple accounts:

# CONTAINMENT: Disable compromised user accounts in Microsoft Entra ID
# Scope: User.ReadWrite.All – required to modify user account properties
# Purpose: Immediately prevent the attacker from using stolen credentials
#   to access ANY Microsoft 365 or Azure resource.
# Impact: The user will be unable to log in until the account is re-enabled.
#   All active sessions continue until tokens expire or are revoked (next step).
# Expected output: "Disabled account: j.smith@globex.com" for each user
Connect-MgGraph -Scopes "User.ReadWrite.All"

$compromisedUsers = @(
    "j.smith@globex.com"
    # Add additional compromised accounts as identified
)

foreach ($user in $compromisedUsers) {
    Update-MgUser -UserId $user -AccountEnabled:$false
    Write-Host "Disabled account: $user" -ForegroundColor Yellow
}

Revoke All Active Sessions

# CONTAINMENT: Revoke all refresh tokens and active sessions
# Purpose: Even after disabling the account, existing access tokens
#   remain valid until they expire (typically 1 hour for access tokens).
#   Revoke-MgUserSignInSession forces immediate invalidation of ALL
#   refresh tokens, requiring re-authentication on every session.
# This ensures the attacker cannot use any previously issued tokens.
# Expected output: "Revoked sessions for: j.smith@globex.com"
#   followed by account status verification showing Enabled=False
foreach ($user in $compromisedUsers) {
    Revoke-MgUserSignInSession -UserId $user
    Write-Host "Revoked sessions for: $user" -ForegroundColor Yellow
}

# Verify account status – confirm all accounts show Enabled=False
foreach ($user in $compromisedUsers) {
    $userObj = Get-MgUser -UserId $user -Property AccountEnabled, DisplayName
    Write-Host "$($userObj.DisplayName): Enabled=$($userObj.AccountEnabled)"
}

Block Malicious Indicators

Navigate to Settings → Endpoints → Indicators
Add URL/Domain indicator: block update-service[.]cc (C2 domain) and vendor-invoices[.]cc (phishing sender domain)
Add File hash indicator: block the SHA256 hash of the malicious attachment and the dropped payload
Add IP indicator: block the C2 IP addresses identified during network analysis
Set the action to Block and remediate for all indicators
Set expiration to Never (you can remove them after the investigation closes)

Soft-Delete Phishing Emails

Return to Email & collaboration → Explorer
Search for all emails from the malicious sender domain that were delivered
Select all matching emails → click Take action → Move to deleted items or Soft delete
Confirm the remediation action and note the action ID for tracking

💡 Pro Tip: Use the Action center (Actions & submissions → Action center) to track all containment actions in one place. Every isolation, email removal, file quarantine, and indicator block is logged here with timestamps and status. This becomes your evidence trail for the incident report.

Step 9 · Eradication & Recovery

Containment stops the bleeding; eradication removes the infection. In this step you will remove all persistence mechanisms, reset compromised credentials, re-enable accounts with fresh credentials, and establish monitoring to confirm the threat is fully neutralized.

Remove Persistence Mechanisms

On the isolated device (WS-FINANCE-01), use the Live Response feature to connect remotely
Navigate to Device page → ⋯ → Initiate Live Response session
Remove the malicious scheduled task:

# ERADICATION: Live Response commands – run on the isolated device
# Purpose: Remove all persistence mechanisms and malware artifacts identified
#   during investigation. Live Response connects to the isolated device via
#   the Defender for Endpoint cloud channel (works even when device is isolated).
#
# Step 1: Remove the malicious scheduled task used for persistence
# The "remediate" command removes the task and logs the action
remediate scheduledtask "WindowsUpdateCheck"

# Step 2: Verify the task was removed by listing all scheduled tasks
scheduledtasks

# Step 3: Remove the dropped malware files
# Remediate moves files to quarantine rather than permanently deleting,
# preserving them as evidence for post-incident forensic analysis
remediate file "C:\ProgramData\Microsoft\WindowsUpdateCheck.exe"
remediate file "C:\Users\j.smith\AppData\Local\Temp\payload.ps1"

# Step 4: Verify file removal – should return "file not found"
dir "C:\ProgramData\Microsoft\WindowsUpdateCheck.exe"
dir "C:\Users\j.smith\AppData\Local\Temp\payload.ps1"

Run a Full Antivirus Scan

On the device page click ⋯ → Run antivirus scan
Select Full scan and click Confirm
Monitor the scan progress in the Action center
Review scan results for any additional malware that was not identified during the manual investigation

Reset Compromised Credentials

# ERADICATION: Reset passwords for all compromised accounts
# Scope: User.ReadWrite.All – required to reset passwords
# Purpose: Replace stolen credentials with new, strong passwords.
#   ForceChangePasswordNextSignIn ensures the user sets their own
#   permanent password at next login.
#
# Security: The temporary password is generated using cryptographically
#   random characters (letters, numbers, special chars, 24 chars long).
# IMPORTANT: Communicate the temporary password via a secure
#   out-of-band channel (phone call, in-person). NEVER send via email
#   (the attacker may still have access to the mailbox).
#
# Also lists authentication methods to help plan MFA re-registration.
# If the attacker registered their own MFA method, you must remove it
# before re-enabling the account.
Connect-MgGraph -Scopes "User.ReadWrite.All"

$compromisedUsers = @("j.smith@globex.com")

foreach ($user in $compromisedUsers) {
    # Generate a strong temporary password
    $tempPassword = -join ((65..90) + (97..122) + (48..57) + (33..38) |
        Get-Random -Count 24 | ForEach-Object { [char]$_ })

    $passwordProfile = @{
        Password                      = $tempPassword
        ForceChangePasswordNextSignIn = $true
    }

    Update-MgUser -UserId $user -PasswordProfile $passwordProfile
    Write-Host "Password reset for: $user (temp password generated)" -ForegroundColor Green

    # Force MFA re-registration
    # Remove existing MFA methods so the user must re-register
    $authMethods = Get-MgUserAuthenticationMethod -UserId $user
    Write-Host "  Authentication methods count: $($authMethods.Count)"
}

Reset the KRBTGT Account (If DC Was Compromised)

# ERADICATION: Reset KRBTGT password (run on domain controller)
# MITRE ATT&CK: T1558.001 (Golden Ticket defense)
# Purpose: The KRBTGT account is used to encrypt all Kerberos tickets in AD.
#   If the attacker stole the KRBTGT hash, they can forge Golden Tickets
#   granting unrestricted access to any resource in the domain.
#
# CRITICAL: Reset KRBTGT TWICE with a 10+ hour gap between resets.
#   - First reset: invalidates tickets issued with the current hash
#   - Wait 10+ hours: allows maximum ticket lifetime (10h default) to expire
#   - Second reset: invalidates tickets forged with the first new hash
# Without the second reset, attackers who captured the new hash during
# the first reset window can still forge valid tickets.
#
# WARNING: Monitor domain authentication closely after reset.
#   Some services using cached Kerberos tickets may experience brief disruptions.
# First reset:
Set-ADAccountPassword -Identity krbtgt -Reset `
    -NewPassword (ConvertTo-SecureString -AsPlainText (
        -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 32 |
        ForEach-Object { [char]$_ })
    ) -Force)
Write-Host "KRBTGT password reset #1 complete. Wait 10+ hours before second reset." -ForegroundColor Yellow

# After 10+ hours, run the second reset to fully invalidate old tickets

Re-enable Accounts and Release Devices

# RECOVERY: Re-enable user accounts after credential reset is confirmed
# Purpose: Once new passwords are set and MFA re-registration is required,
#   re-enable the accounts so users can log in with fresh credentials.
# Expected output: "Re-enabled account: j.smith@globex.com"
#
# IMPORTANT: Communicate the temporary password via a SECURE out-of-band channel:
#   - Phone call (verify user identity first)
#   - In-person delivery
#   - Encrypted messaging app
#   NEVER send credentials via email – the attacker may still have
#   inbox access via forwarding rules or OAuth app consents.
foreach ($user in $compromisedUsers) {
    Update-MgUser -UserId $user -AccountEnabled:$true
    Write-Host "Re-enabled account: $user" -ForegroundColor Green
}

# Communicate temporary password to user via secure out-of-band channel
# (phone call, in-person, encrypted message. NEVER via email)

Release isolated devices: go to the Device page → ⋯ → Release from isolation
Monitor the device for 24–48 hours after release to confirm no recurrence
Check that the scheduled task does not reappear and that no new suspicious processes launch

Post-Eradication Verification Query

// POST-ERADICATION VERIFICATION: Monitor for persistence re-creation
// Purpose: After removing all malware and persistence mechanisms, run this
//   query to verify nothing reappears. Schedule this as a daily check for
//   24-48 hours after eradication is complete.
//
// What to watch for:
//   ScheduledTaskCreated  – new scheduled tasks (attacker's persistence returning)
//   ScheduledTaskUpdated  – modification of existing tasks (hiding in legitimate tasks)
//   RegistryValueSet      – autorun registry keys (Run, RunOnce, Services)
//   ServiceInstalled      – new Windows services (common persistence method)
//
// The Detail column extracts the specific artifact name from AdditionalFields JSON.
// If ANY results appear after eradication, the threat was NOT fully removed –
//   re-investigate immediately and look for secondary backdoors.
// Empty results = successful eradication confirmed.
DeviceEvents
| where Timestamp > ago(24h)
| where DeviceName =~ "WS-FINANCE-01"
| where ActionType in ("ScheduledTaskCreated", "ScheduledTaskUpdated",
                         "RegistryValueSet", "ServiceInstalled")
| project Timestamp, DeviceName, ActionType,
          AdditionalFields = parse_json(AdditionalFields)
| extend Detail = case(
    ActionType == "ScheduledTaskCreated", tostring(AdditionalFields.TaskName),
    ActionType == "RegistryValueSet", tostring(AdditionalFields.RegistryValueName),
    ActionType == "ServiceInstalled", tostring(AdditionalFields.ServiceName),
    "N/A"
  )

💡 Pro Tip: Create a custom detection rule (from Lab 3) that watches for the specific IoCs from this incident: the malicious file hashes, C2 domains, and scheduled task names. This “sentinel rule” will catch any recurrence of this specific threat and alert you immediately if the attacker attempts to re-establish their foothold.

Step 10 · Post-Incident Review

The incident is contained and eradicated, but the work is not done. A thorough post-incident review (PIR) documents what happened, identifies gaps in detection and response, and drives improvements. This step produces the deliverables that transform a painful incident into a learning opportunity.

Generate the Incident Report

On the incident page, click Export incident to download a summary PDF
Supplement the export with your investigation notes, timeline spreadsheet, and KQL query results
Structure your report with these sections:
- Executive Summary: One-paragraph description of what happened, impact, and resolution
- Timeline: Chronological reconstruction of the attack with timestamps
- Scope of Impact: Affected users, devices, mailboxes, data, and applications
- Root Cause Analysis: How the attack succeeded (e.g., macro execution enabled, weak email filtering)
- Containment & Eradication Actions: What was done, when, and by whom
- Recommendations: Specific, actionable improvements

MITRE ATT&CK Mapping Summary

Generate a comprehensive mapping of all observed techniques to include in the report:

// Comprehensive MITRE ATT&CK mapping for the incident
AlertInfo
| where Timestamp > ago(7d)
| where AttackTechniques != ""
| extend Techniques = parse_json(AttackTechniques)
| mv-expand Technique = Techniques
| extend TechniqueStr = tostring(Technique)
| summarize
    AlertCount = count(),
    AlertTitles = make_set(Title),
    Severities = make_set(Severity),
    DetectionSources = make_set(DetectionSource),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
  by TechniqueStr
| sort by FirstSeen asc

Identify Detection Gaps

Compare the MITRE ATT&CK techniques you observed against the techniques you had alerts for: any technique without an alert is a detection gap
Check: Was the initial phishing email detected before delivery? If not, your email policy needs tightening
Check: How long after execution did the endpoint alert fire? Delays indicate sensor or rule configuration issues
Check: Did MDI detect the LSASS access immediately? MDI sensor health and configuration should be reviewed
Check: Was the cloud app exfiltration detected by MDA policies? If not, create anomaly detection policies for bulk downloads and external sharing

Lessons Learned & Recommendations

Disable Office macros for users who do not require them: use ASR rules (Block all Office applications from creating child processes)
Enable credential guard on all Windows endpoints to prevent LSASS credential dumping
Implement Conditional Access policies requiring MFA for all users, blocking legacy authentication, and enforcing compliant device requirements
Tighten email filtering: enable Safe Attachments with dynamic delivery, configure anti-phishing policies with mailbox intelligence
Deploy network segmentation to limit lateral movement from user workstations to domain controllers and file servers
Create custom detection rules for the specific IoCs and TTPs observed in this incident (file hashes, C2 domains, scheduled task names)
Conduct user awareness training focused on recognizing spear-phishing emails that impersonate vendors
Establish an IR playbook for APT-class incidents with predefined containment procedures, communication templates, and escalation paths

Rule Improvements: Create Proactive Detections

Based on lessons learned, create a custom detection rule to catch this attack pattern in the future:

// Custom detection: Office app spawning PowerShell with download cradle
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName in~ ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
                        "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
    "DownloadString", "DownloadFile", "Invoke-WebRequest",
    "IEX", "Invoke-Expression", "Net.WebClient",
    "-EncodedCommand", "-enc ", "FromBase64String",
    "Start-BitsTransfer", "certutil"
  )
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, SHA256
// Entity mapping for custom detection rule:
// DeviceName → Device, AccountName → User, SHA256 → File

Close the Incident

Return to the incident page and click Manage incident
Set Status to Resolved
Set Classification to True positive: Threat
Set Determination to the appropriate value (e.g., Multi-stage attack or Phishing)
Add a final Comment summarizing the resolution: accounts reset, devices cleaned, indicators blocked, report filed
Click Save

💡 Pro Tip: Schedule a formal post-incident review meeting within 5 business days of incident closure. Include representatives from SOC, IT operations, identity management, email administration, and business leadership. Use the MITRE ATT&CK mapping as the agenda framework: walk through each tactic and discuss what worked, what failed, and what will be improved.

Summary

What You Accomplished

Mapped a multi-stage APT attack to MITRE ATT&CK tactics spanning Initial Access through Exfiltration
Triaged and assigned a high-severity incident in the Defender XDR incident queue
Reconstructed the complete attack timeline using the incident graph, alert story, and cross-workload KQL queries
Investigated the phishing email vector using Threat Explorer, email entity analysis, and attachment detonation results
Analyzed endpoint compromise through device timeline, process tree reconstruction, and persistence artifact detection
Detected identity compromise via LSASS access monitoring, sign-in anomaly analysis, and lateral movement tracking
Traced lateral movement across devices and identified cloud application data exfiltration
Executed containment actions: device isolation, user disablement, indicator blocking, session revocation, and email soft-deletion
Performed eradication: removed scheduled task persistence, cleaned malware files, reset all compromised credentials, and ran full AV scans
Completed a post-incident review with MITRE ATT&CK mapping, detection gap analysis, lessons learned, and proactive detection rule creation

Cost Notes

All investigation and response capabilities used in this lab are included in the Microsoft 365 E5 license
Advanced Hunting queries consume compute resources but have no per-query cost
Live Response sessions are included in Defender for Endpoint Plan 2
For extended data retention beyond 30 days, integrate with Microsoft Sentinel (Log Analytics ingestion costs apply)
Entra ID P2 features (Identity Protection risk detections) require Microsoft Entra ID P2 licensing

Cleanup Steps

Release isolated devices: Go to each device page → ⋯ → Release from isolation
Re-enable test accounts: Run Update-MgUser -UserId "user@domain.com" -AccountEnabled:$true
Remove test indicators: Go to Settings → Endpoints → Indicators and delete lab-specific entries
Restore soft-deleted emails: If using test mailboxes, recover emails from the Deleted Items or Recoverable Items folder
Delete test custom detection rules: Navigate to Hunting → Custom detection rules and remove any rules created during this lab
Remove incident tags: Remove IR-Active tags from resolved test incidents

Next Steps

Practice this workflow with the Microsoft Defender XDR attack simulation tutorials
Build an automated IR playbook using Microsoft Sentinel Logic Apps for common containment actions
Implement Attack Surface Reduction (ASR) rules to prevent the initial execution vector (Office macro child processes)
Deploy Microsoft Defender for Cloud to extend XDR coverage to your Azure and multi-cloud workloads
Explore all hands-on labs to continue building your Microsoft security skills

Resource	Description
Incidents overview: Microsoft Defender XDR	How incidents are created, correlated, and prioritized in XDR
Investigate incidents in Microsoft Defender XDR	Step-by-step guide to investigating and analyzing XDR incidents
Respond to your first incident in Microsoft Defender XDR	Walkthrough for responding to your first security incident
Advanced hunting overview: Microsoft Defender XDR	Proactively search for threats using KQL across workloads
Take response actions on a device: Microsoft Defender for Endpoint	Isolate, scan, and remediate devices through Defender for Endpoint
Threat Explorer and Real-time detections: Microsoft Defender for Office 365	Investigate email threats using Explorer and real-time detection tools
Credential access and lateral movement alerts: Microsoft Defender for Identity	Detect credential theft and lateral movement with Defender for Identity
Investigate activities: Microsoft Defender for Cloud Apps	Review and investigate user and app activities in Cloud Apps