02. Detecting Remote Code Execution with Microsoft Defender | KQL & Automated Response Lab

In this lab, I simulate and detect a Remote Code Execution (RCE) scenario using Microsoft Defender for Endpoint (MDE). I executed a PowerShell-based script to download and install an application, then used Advanced Hunting (KQL) to identify the activity and build a custom detection rule. 🔎 What I Covered: Simulating RCE using PowerShell and command execution Analyzing logs in MDE using KQL Investigating activity across key tables Creating a custom detection rule for suspicious behavior Triggering an automated response (VM isolation) Reviewing the full attack timeline in MDE 🧠 Key Learning: This lab demonstrates how security teams: Detect suspicious PowerShell activity Identify potential remote code execution behavior Create detection rules for real-world threats Automate incident response actions Investigate attack timelines end-to-end This exercise helped me build practical skills in: Threat Hunting Detection Engineering Endpoint Security (MDE) KQL & Log Analysis Security Operations (SOC workflows)