Hunting Playbook: Ransomware in Microsoft Defender XDR.
The first alert was not encryption.
It was a strange process, a suspicious command line, a failed login, a new service, a file rename pattern, or a device talking to something it should not have trusted.
By the time files are being encrypted, the investigation is already late.
Agent Foskett knew ransomware hunting was not about waiting for the ransom note. It was about following the evidence across identity, endpoint, process, network and file telemetry before the attack reached full impact.
Lesson overview
Learn how to investigate ransomware by correlating Microsoft Defender XDR endpoint, identity, file, process, network and alert telemetry into a clear incident timeline.
Why ransomware hunting matters
The ransomware hunting workflow
Step 1 — Find suspicious ransomware-related process activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
let SuspiciousTools = dynamic(["powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "vssadmin.exe", "bcdedit.exe", "wevtutil.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousTools)
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp descStep 2 — Hunt for shadow copy and recovery tampering
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 14d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine has_any ("vssadmin", "delete shadows", "bcdedit", "recoveryenabled", "wbadmin", "wevtutil", "clear-log")
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp descStep 3 — Detect high-volume file modification activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 24h;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| summarize FileEvents = count(),
FileNames = make_set(FileName, 30),
Folders = make_set(FolderPath, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName,
InitiatingProcessFileName,
InitiatingProcessAccountName
| where FileEvents > 500
| order by FileEvents descStep 4 — Look for suspicious ransomware extensions
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 7d;
let SuspiciousTerms = dynamic(["readme", "recover", "decrypt", "ransom", "restore", ".locked", ".encrypted", ".crypt"]);
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName has_any (SuspiciousTerms) or FolderPath has_any (SuspiciousTerms)
| project Timestamp,
DeviceName,
FileName,
FolderPath,
ActionType,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp descStep 5 — Correlate impacted devices with alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
let TimeFrame = 7d;
let ImpactedDevices =
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| summarize FileEvents = count() by DeviceName
| where FileEvents > 500
| distinct DeviceName;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where DeviceName in~ (ImpactedDevices)
| project Timestamp,
AlertId,
DeviceName,
EntityType,
EvidenceRole,
AccountName,
FileName,
RemoteIP
| order by Timestamp descStep 6 — Build a ransomware investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE-01";
union
(
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, DeviceName, EvidenceType="Process", Detail=ProcessCommandLine, AccountName
),
(
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, DeviceName, EvidenceType="File", Detail=strcat(ActionType, " - ", FolderPath), AccountName=InitiatingProcessAccountName
),
(
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, DeviceName, EvidenceType="Network", Detail=strcat(RemoteUrl, " ", RemoteIP), AccountName=InitiatingProcessAccountName
)
| order by Timestamp ascCommon ransomware investigation clues
False positives to consider
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Hunting Playbook Ransomware in Microsoft Defender XDR
Agent Foskett Academy Lesson 110 teaches defenders how to investigate ransomware using Microsoft Defender XDR, endpoint telemetry, identity activity, process evidence, file activity, alert evidence and practical KQL hunting workflows.
Learn ransomware hunting with KQL and Microsoft Defender XDR
Ransomware investigations help Microsoft security analysts identify suspicious process execution, recovery tampering, encryption activity, lateral movement, affected devices and compromised accounts.
Microsoft Defender XDR ransomware investigation tutorial
This lesson explains how to hunt for ransomware activity using DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, AlertEvidence, identity telemetry and repeatable Microsoft security investigation workflows.
