Agent Foskett Academy • Lesson 110 • Hunting Playbook Series

Hunting Playbook: Ransomware in Microsoft Defender XDR.

The first alert was not encryption.

It was a strange process, a suspicious command line, a failed login, a new service, a file rename pattern, or a device talking to something it should not have trusted.

By the time files are being encrypted, the investigation is already late.

Agent Foskett knew ransomware hunting was not about waiting for the ransom note. It was about following the evidence across identity, endpoint, process, network and file telemetry before the attack reached full impact.

Agent Foskett Academy lesson hunting ransomware in Microsoft Defender XDR
Lesson overview

Learn how to investigate ransomware by correlating Microsoft Defender XDR endpoint, identity, file, process, network and alert telemetry into a clear incident timeline.

Identify suspicious process execution
Detect file encryption patterns
Correlate identity and lateral movement
Scope affected users and devices

Why ransomware hunting matters

Ransomware is rarely a single event. It is usually the final stage of an intrusion that has already included access, discovery, privilege escalation, lateral movement and preparation.
Encryption is the late signalBy the time mass file changes are visible, attackers may already have stolen credentials, moved laterally and prepared payloads across multiple systems.
Ransomware leaves many cluesPowerShell, LOLBins, suspicious services, file writes, network connections, failed logons and alerts can all appear before encryption begins.
Scoping is criticalDefenders need to identify patient zero, affected devices, impacted users, lateral movement paths and whether data exposure occurred before encryption.

The ransomware hunting workflow

Agent Foskett investigates ransomware as a timeline, not as a single malware detection.
1. Start with the first signalBegin with the earliest alert, suspicious process, file activity spike, endpoint detection or user report.
2. Identify patient zeroFind the first affected device, first suspicious command, first encryption event or first attacker-controlled account.
3. Review process executionLook for PowerShell, LOLBins, scripts, remote execution tools, suspicious installers and unusual parent-child process chains.
4. Analyse file activityReview file creation, modification, rename and deletion activity for encryption-like patterns and unusual volume.
5. Correlate identity activityCheck suspicious logons, privilege escalation, administrator use, service accounts and lateral movement attempts.
6. Scope and containIdentify affected devices, isolate systems, revoke compromised sessions, reset credentials and preserve evidence for recovery.

Step 1 — Find suspicious ransomware-related process activity

Start by searching for commonly abused tools and suspicious process names that may appear during ransomware staging.
step-1-suspicious-process-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 7d;
let SuspiciousTools = dynamic(["powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "vssadmin.exe", "bcdedit.exe", "wevtutil.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousTools)
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 2 — Hunt for shadow copy and recovery tampering

Many ransomware attacks attempt to weaken recovery by deleting shadow copies, changing boot recovery settings or clearing logs.
step-2-recovery-tampering.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 14d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine has_any ("vssadmin", "delete shadows", "bcdedit", "recoveryenabled", "wbadmin", "wevtutil", "clear-log")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 3 — Detect high-volume file modification activity

Encryption often creates large volumes of file modifications, renames or writes within a short period.
step-3-high-volume-file-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 24h;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| summarize FileEvents = count(),
            FileNames = make_set(FileName, 30),
            Folders = make_set(FolderPath, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by DeviceName,
         InitiatingProcessFileName,
         InitiatingProcessAccountName
| where FileEvents > 500
| order by FileEvents desc

Step 4 — Look for suspicious ransomware extensions

Some ransomware families create predictable file extensions or ransom-note filenames. Use this query as a starting point and adapt it during each case.
step-4-suspicious-file-extensions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
let SuspiciousTerms = dynamic(["readme", "recover", "decrypt", "ransom", "restore", ".locked", ".encrypted", ".crypt"]);
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName has_any (SuspiciousTerms) or FolderPath has_any (SuspiciousTerms)
| project Timestamp,
          DeviceName,
          FileName,
          FolderPath,
          ActionType,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 5 — Correlate impacted devices with alerts

After identifying suspicious devices, pivot into AlertEvidence to understand what Defender already knows about the incident.
step-5-correlate-impacted-devices-with-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
let TimeFrame = 7d;
let ImpactedDevices =
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | summarize FileEvents = count() by DeviceName
    | where FileEvents > 500
    | distinct DeviceName;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where DeviceName in~ (ImpactedDevices)
| project Timestamp,
          AlertId,
          DeviceName,
          EntityType,
          EvidenceRole,
          AccountName,
          FileName,
          RemoteIP
| order by Timestamp desc

Step 6 — Build a ransomware investigation timeline

A timeline helps responders understand initial execution, staging, encryption and containment points.
step-6-ransomware-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE-01";
union
(
    DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | where DeviceName =~ DeviceToInvestigate
    | project Timestamp, DeviceName, EvidenceType="Process", Detail=ProcessCommandLine, AccountName
),
(
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where DeviceName =~ DeviceToInvestigate
    | project Timestamp, DeviceName, EvidenceType="File", Detail=strcat(ActionType, " - ", FolderPath), AccountName=InitiatingProcessAccountName
),
(
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where DeviceName =~ DeviceToInvestigate
    | project Timestamp, DeviceName, EvidenceType="Network", Detail=strcat(RemoteUrl, " ", RemoteIP), AccountName=InitiatingProcessAccountName
)
| order by Timestamp asc

Common ransomware investigation clues

Ransomware investigations usually become clearer when several weak signals appear together.
Recovery tamperingCommands that delete shadow copies, modify recovery settings or clear logs often appear before or during ransomware execution.
High file modification volumeA sudden spike in file writes, renames or changes from one process can indicate encryption activity.
Suspicious parent processesOffice apps, browsers, scripts or remote management tools launching shells or LOLBins should be reviewed carefully.
Lateral movement attemptsAuthentication activity across many devices can indicate the attacker is spreading before encryption.
Ransom notes or extensionsNew files containing recovery instructions, unusual extensions or repeated naming patterns can help identify impact.
Defender alert correlationAlertInfo and AlertEvidence help connect process, file, account and device evidence into a single case.

False positives to consider

High file activity and administrative tooling are not always malicious. Validate context before declaring ransomware.
Backup softwareBackup, sync and archive tools can create large volumes of file reads, writes and modifications.
Software deploymentPatch management and application deployment systems may run scripts, services and command-line utilities at scale.
File migrationsPlanned migrations, document management changes and bulk renames can resemble abnormal file activity.
Administration toolsAdministrators may legitimately use PowerShell, PsExec, WMI or other tools during maintenance.
Security productsEDR, AV and DLP tools can inspect or modify many files during scans and remediation.
User automationMacros, scripts and line-of-business automation may create unusual but legitimate process and file patterns.

Investigation checklist

Use this checklist before closing or escalating a ransomware investigation.
What was patient zero?Identify the first device, user, process or alert that started the chain of suspicious activity.
Was recovery tampered with?Check for shadow copy deletion, boot recovery changes, log clearing and backup interference.
Which devices were affected?Summarise impacted endpoints, file activity volume and first/last observed activity.
Which accounts were used?Review local admins, domain admins, service accounts and unusual identity activity around execution.
Was data accessed or exfiltrated?Review suspicious network activity, cloud activity and file access before encryption.
Has containment occurred?Isolate affected devices, revoke sessions, reset credentials and preserve evidence before recovery begins.

Related Agent Foskett Academy lessons

These lessons support ransomware investigations across identity, endpoint and hunting workflows.
Hunting Playbook: PowerShell AbuseInvestigate suspicious PowerShell execution and encoded commands before ransomware impact.
Hunting Playbook: LOLBinsIdentify trusted Windows tools being abused for execution, discovery and lateral movement.
Hunting Playbook: Persistence MechanismsDetect scheduled tasks, services, registry run keys and persistence techniques.
Investigating DeviceProcessEventsUnderstand process telemetry used during ransomware execution analysis.
Investigating DeviceFileEventsReview file activity, renames, writes and encryption-style changes.
Building Reusable Hunting QueriesTurn ransomware investigation logic into repeatable Defender XDR hunts.

Coming next

The first Hunting Playbook series is now complete.
Lessons 101 to 110 completeThe first Agent Foskett Hunting Playbook block now covers impossible travel, credential theft, inbox rules, OAuth abuse, PowerShell, LOLBins, persistence, risky sign-ins, insider threats and ransomware.
What comes nextFuture lessons can expand into Microsoft Sentinel, Defender for Identity, Defender for Cloud Apps, exposure management and advanced incident response workflows.

Final thought

Ransomware investigations are won by finding the story before the ransom note becomes the first clue.
Agent Foskett mindsetDo not wait for encryption to prove ransomware. Follow the process, file, identity and network evidence from the earliest suspicious activity.
Hunting Playbook SeriesLesson 110 brings together the skills from the first Hunting Playbook series into a capstone ransomware investigation workflow.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Hunting Playbook Ransomware in Microsoft Defender XDR

Agent Foskett Academy Lesson 110 teaches defenders how to investigate ransomware using Microsoft Defender XDR, endpoint telemetry, identity activity, process evidence, file activity, alert evidence and practical KQL hunting workflows.

Learn ransomware hunting with KQL and Microsoft Defender XDR

Ransomware investigations help Microsoft security analysts identify suspicious process execution, recovery tampering, encryption activity, lateral movement, affected devices and compromised accounts.

Microsoft Defender XDR ransomware investigation tutorial

This lesson explains how to hunt for ransomware activity using DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, AlertEvidence, identity telemetry and repeatable Microsoft security investigation workflows.