Agent Foskett Academy • Lesson 83 • Advanced Defender XDR Investigation

Investigating Ransomware Behaviour in Microsoft Defender XDR.

Files changed quickly.

Extensions looked wrong.

Then the ransom note appeared.

Agent Foskett moved fast.

Agent Foskett Academy lesson investigating ransomware behaviour in Microsoft Defender XDR
Lesson overview

Learn how to investigate ransomware behaviour by analysing rapid file changes, suspicious processes, ransom notes, network activity and containment evidence in Microsoft Defender XDR.

Start with DeviceFileEvents
Identify mass modification and renaming
Review process, network and ransom note evidence
Build the ransomware timeline

Why ransomware behaviour matters

Ransomware investigations are time-sensitive. The goal is to identify impact quickly, contain affected devices and preserve the timeline before more files are encrypted.
Files reveal impactDeviceFileEvents helps identify mass file modifications, renamed extensions, deleted originals and ransom notes created during the attack.
Processes reveal the sourceDeviceProcessEvents helps identify the process, account and command line responsible for file encryption or destructive activity.
Speed changes the responseRansomware behaviour can spread quickly, so evidence must support containment decisions, account review and enterprise-wide hunting.

The ransomware investigation workflow

Agent Foskett starts with file impact, then pivots into process execution, network activity and affected devices.
1. Are files changing quickly?Look for high-volume file modifications, renames or creations within a short window.
2. Which device is affected?Identify the device where suspicious file activity is concentrated.
3. Which account is involved?Review the account context tied to the file and process activity.
4. What process caused it?Find the initiating process that created, renamed or modified the files.
5. Were ransom notes created?Search for files that look like recovery instructions or ransom notes.
6. Did the process contact the network?Check whether the suspicious process made outbound or internal connections.
7. Did the behaviour spread?Hunt for the same process, hash, account or file pattern across other devices.
8. Can the timeline be proven?Place process, file, network and containment evidence into one sequence.

Step 1 — Find rapid file modification

Start with DeviceFileEvents and look for devices with unusually high file activity in a short period.
step-1-rapid-file-modification.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count(),
            UniqueFiles=dcount(FileName),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp)
  by DeviceName, InitiatingProcessAccountUpn, bin(Timestamp, 10m)
| where FileEvents > 100
| order by FileEvents desc

Step 2 — Identify suspicious file extensions

Ransomware often creates unusual extensions or renames many files with the same new pattern.
step-2-suspicious-file-extensions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileRenamed", "FileModified")
| extend Extension = tostring(split(FileName, ".")[-1])
| summarize Count=count(),
            Devices=dcount(DeviceName),
            SampleFiles=make_set(FileName, 10)
  by Extension, InitiatingProcessFileName
| where Count > 50
| order by Count desc

Step 3 — Search for ransom notes

Ransom notes are often created after encryption activity begins and can provide a clear impact marker in the timeline.
step-3-ransom-notes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any ("readme", "recover", "decrypt", "restore", "ransom")
   or FolderPath has_any ("readme", "recover", "decrypt", "restore", "ransom")
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          FileName,
          FolderPath,
          InitiatingProcessFileName,
          SHA256
| order by Timestamp asc

Step 4 — Find the process behind the file activity

Pivot from DeviceFileEvents into process context to identify what actually caused the file changes.
step-4-file-process-context.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count(), SampleFiles=make_set(FileName, 10)
  by DeviceName,
     InitiatingProcessAccountUpn,
     InitiatingProcessFileName,
     InitiatingProcessCommandLine,
     InitiatingProcessSHA256
| where FileEvents > 100
| order by FileEvents desc

Step 5 — Review suspicious process execution

Use DeviceProcessEvents to inspect the suspected ransomware process, parent process and command line.
step-5-ransomware-process-execution.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("vssadmin delete", "wbadmin delete", "bcdedit", "cipher /w", "shadowcopy")
   or FileName has_any ("cmd.exe", "powershell.exe", "wmic.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp asc

Step 6 — Correlate with network activity

Some ransomware activity includes command-and-control, payload staging, lateral movement or data exfiltration before encryption.
step-6-ransomware-network-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let SuspiciousProcesses =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count() by DeviceName, InitiatingProcessFileName
| where FileEvents > 100;
DeviceNetworkEvents
| where Timestamp > ago(24h)
| join kind=inner SuspiciousProcesses on DeviceName
| where InitiatingProcessFileName == InitiatingProcessFileName1
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp asc

How to read the evidence

A ransomware investigation should explain what changed, what caused it, where it spread and what was contained.
Volume mattersA single file change is normal. Hundreds or thousands of changes in minutes can indicate encryption or destructive behaviour.
Process context mattersThe initiating process, parent process, account and command line help explain whether the activity was expected or malicious.
Ransom notes matterRecovery instructions, decrypt files and ransom notes often mark the point where impact becomes visible.
Containment mattersThe timeline should support decisions to isolate devices, disable accounts and hunt for the same indicators elsewhere.

Real-world investigation

Agent Foskett receives an alert for unusual file modification activity on a shared workstation.
The first signalDeviceFileEvents shows hundreds of documents renamed within ten minutes on one device.
The patternMany files now share the same unfamiliar extension, and several folders contain recovery instructions.
The processThe initiating process is not a normal business application and was launched by a compromised user account.
The network clueDeviceNetworkEvents shows the same process contacting an unfamiliar external IP before encryption activity increased.
The spread checkThe same account appears on another device shortly after the first file changes.
The conclusionThe investigation confirms ransomware-style behaviour and requires containment, account reset, device isolation and IOC hunting.

Investigation checklist

Use this checklist when reviewing suspected ransomware behaviour in Microsoft Defender XDR.
File volume checkedConfirm whether file creations, modifications or renames increased sharply.
Affected devices identifiedList the devices, folders and users involved in the suspicious activity.
Ransom notes reviewedSearch for recovery instructions, decrypt files or ransom-note style filenames.
Process source confirmedIdentify the initiating process, command line, hash and parent process.
Network activity correlatedCheck whether the suspicious process contacted external or internal systems.
Spread investigatedHunt for matching accounts, hashes, filenames and extensions across other devices.
Containment documentedRecord device isolation, account actions and remediation steps in the incident timeline.

Related Agent Foskett Academy lessons

DeviceFileEvents InvestigationsReview files created, modified, renamed or downloaded during suspicious endpoint activity.
DeviceProcessEvents InvestigationsAnalyse process execution, command lines and parent-child process relationships.
DeviceNetworkEvents InvestigationsInvestigate outbound and internal network connections from Defender endpoint telemetry.
Investigating PowerShell AttacksReview encoded commands, suspicious scripts and execution behaviour before larger impact.
Investigating Lateral MovementFollow attackers as they move between devices using valid credentials and remote access.
Building a Complete Phishing InvestigationSee how email activity can lead into endpoint execution and follow-on investigation.
Microsoft Defender KQL Threat Hunting GuideUse the broader GEMXIT Defender KQL guide for hunting across email, identity and endpoint data.

Coming next

Lesson 84 moves into legitimate Windows binaries abused by attackers.
Lesson 84 — Investigating Living Off The Land (LOLBins)Next, Agent Foskett investigates trusted Windows binaries used for suspicious execution, downloads, proxy execution and attacker tradecraft.
Why this mattersRansomware and post-compromise activity often involve tools already present on Windows devices. Lesson 84 follows those trusted binaries into the evidence.

Final thought

Ransomware is not just a file problem. It is a timeline problem.
Agent Foskett mindsetDo not stop at encrypted files. Find the process, account, command line, network activity and spread path.
The file changes told the storyWhen the evidence is placed in order, defenders can explain impact, containment and recovery decisions clearly.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating Ransomware Behaviour in Microsoft Defender XDR

Agent Foskett Academy Lesson 83 teaches defenders how to investigate ransomware behaviour in Microsoft Defender XDR.

Defender XDR ransomware behaviour investigation workflow

This lesson explains how DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents, file renames, mass modifications, ransom notes, initiating processes, command lines, RemoteUrl, RemoteIP and file hashes help defenders reconstruct ransomware-style endpoint activity.