Investigating Ransomware Behaviour in Microsoft Defender XDR.
Files changed quickly.
Extensions looked wrong.
Then the ransom note appeared.
Agent Foskett moved fast.
Lesson overview
Learn how to investigate ransomware behaviour by analysing rapid file changes, suspicious processes, ransom notes, network activity and containment evidence in Microsoft Defender XDR.
Why ransomware behaviour matters
The ransomware investigation workflow
Step 1 — Find rapid file modification
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count(),
UniqueFiles=dcount(FileName),
FirstSeen=min(Timestamp),
LastSeen=max(Timestamp)
by DeviceName, InitiatingProcessAccountUpn, bin(Timestamp, 10m)
| where FileEvents > 100
| order by FileEvents desc
Step 2 — Identify suspicious file extensions
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileRenamed", "FileModified")
| extend Extension = tostring(split(FileName, ".")[-1])
| summarize Count=count(),
Devices=dcount(DeviceName),
SampleFiles=make_set(FileName, 10)
by Extension, InitiatingProcessFileName
| where Count > 50
| order by Count desc
Step 3 — Search for ransom notes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any ("readme", "recover", "decrypt", "restore", "ransom")
or FolderPath has_any ("readme", "recover", "decrypt", "restore", "ransom")
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
FileName,
FolderPath,
InitiatingProcessFileName,
SHA256
| order by Timestamp asc
Step 4 — Find the process behind the file activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count(), SampleFiles=make_set(FileName, 10)
by DeviceName,
InitiatingProcessAccountUpn,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessSHA256
| where FileEvents > 100
| order by FileEvents desc
Step 5 — Review suspicious process execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("vssadmin delete", "wbadmin delete", "bcdedit", "cipher /w", "shadowcopy")
or FileName has_any ("cmd.exe", "powershell.exe", "wmic.exe")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp asc
Step 6 — Correlate with network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let SuspiciousProcesses =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed")
| summarize FileEvents=count() by DeviceName, InitiatingProcessFileName
| where FileEvents > 100;
DeviceNetworkEvents
| where Timestamp > ago(24h)
| join kind=inner SuspiciousProcesses on DeviceName
| where InitiatingProcessFileName == InitiatingProcessFileName1
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp asc
How to read the evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating Ransomware Behaviour in Microsoft Defender XDR
Agent Foskett Academy Lesson 83 teaches defenders how to investigate ransomware behaviour in Microsoft Defender XDR.
Defender XDR ransomware behaviour investigation workflow
This lesson explains how DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents, file renames, mass modifications, ransom notes, initiating processes, command lines, RemoteUrl, RemoteIP and file hashes help defenders reconstruct ransomware-style endpoint activity.
