Incident Response Workflow: Malware Infection in Microsoft Defender XDR.
The alert fired just after 9:00 AM.
Microsoft Defender had quarantined a suspicious file, and the user said the computer had been running slowly all morning.
But Agent Foskett knew the malware name was only one clue.
The real investigation was to find how the malware arrived, what it executed, whether persistence was created, what it contacted, and whether the infection had spread beyond the first device.
Lesson overview
Learn how to investigate a malware infection by correlating Microsoft Defender XDR endpoint, process, file, network, alert and identity telemetry into a complete incident response workflow.
Why malware investigations matter
The malware infection response workflow
Step 1 — Locate malware-related alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
AlertInfo
| where Timestamp > ago(TimeFrame)
| where Title has_any ("malware", "trojan", "ransom", "virus", "suspicious", "backdoor")
| project Timestamp,
AlertId,
Title,
Severity,
Category,
ServiceSource,
DetectionSource
| order by Timestamp descStep 2 — Review alert evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
let TimeFrame = 7d;
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where EntityType in~ ("Machine", "File", "Process", "User", "Ip")
| project Timestamp,
AlertId,
EntityType,
EvidenceRole,
DeviceName,
AccountName,
FileName,
SHA256,
ProcessCommandLine,
RemoteIP
| order by Timestamp descStep 3 — Investigate suspicious process execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE01";
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
or ProcessCommandLine has_any ("-enc", "downloadstring", "invoke-webrequest", "frombase64string", "http", "temp")
| project Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
FileName,
ProcessCommandLine
| order by Timestamp ascStep 4 — Review file creation and modification
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE01";
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| where FolderPath has_any ("\Downloads\", "\Temp\", "\AppData\", "\ProgramData\", "\Startup\")
or FileName endswith ".exe"
or FileName endswith ".dll"
or FileName endswith ".ps1"
or FileName endswith ".js"
or FileName endswith ".vbs"
| project Timestamp,
DeviceName,
ActionType,
FileName,
FolderPath,
SHA256,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp ascStep 5 — Analyse network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE01";
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| where isnotempty(RemoteUrl) or isnotempty(RemoteIP)
| project Timestamp,
DeviceName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort,
ActionType
| order by Timestamp ascStep 6 — Hunt for persistence indicators
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE01";
DeviceRegistryEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| where RegistryKey has_any ("Run", "RunOnce", "Winlogon", "Services", "Explorer\StartupApproved")
or RegistryValueData has_any ("powershell", "cmd.exe", "wscript", "mshta", "rundll32")
| project Timestamp,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp ascStep 7 — Build the malware incident timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
let TimeFrame = 7d;
let DeviceToInvestigate = "DEVICE01";
let Processes =
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, EventType="Process", DeviceName, Evidence=FileName, Detail=ProcessCommandLine;
let Files =
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, EventType="File", DeviceName, Evidence=FileName, Detail=FolderPath;
let Network =
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToInvestigate
| project Timestamp, EventType="Network", DeviceName, Evidence=RemoteUrl, Detail=strcat(RemoteIP, ":", RemotePort);
union Processes, Files, Network
| order by Timestamp ascMalware investigation clues
False positives to consider
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Incident Response Workflow Malware Infection in Microsoft Defender XDR
Agent Foskett Academy Lesson 114 teaches defenders how to investigate malware infections using Microsoft Defender XDR endpoint telemetry, process events, file activity, network connections, alert evidence and KQL hunting workflows.
Learn malware infection response with Microsoft Defender XDR and KQL
Malware infection investigations help Microsoft security analysts identify initial compromise, suspicious execution, dropped files, command-and-control traffic, persistence mechanisms and lateral movement.
Microsoft Defender XDR malware investigation tutorial
This lesson explains how to investigate malware alerts, affected devices, malicious files, suspicious process trees, endpoint telemetry and remediation steps using practical Microsoft security investigation workflows.
