Threat Hunting with Microsoft Defender XDR: Reconstructing a Ransomware Intrusion
Table Of Content
- π‘οΈ Reconstructing a Ransomware Attack Using Microsoft Defender and KQL
- π§ Introduction
- π― Attack Overview
- π Key Investigation Findings
- Β π°οΈ Reconnaissance
- Β π Credential Discovery
- Β π Command and Control
- Β π¦ Data Staging
- Β π£ Ransomware Deployment
-  𧨠Defense Evasion
- Β π§Ή Evidence Cleanup
- π¨ Detection Opportunities
- π§ Key Takeaways
- 𧩠Conclusion
- π¬ Final Thoughts
- π₯ Download the Executive Summary Report
π‘οΈ Reconstructing a Ransomware Attack Using Microsoft Defender and KQL
π§ Introduction
In this investigation, I performed a threat hunt using Microsoft Defender telemetry to reconstruct a multi-stage ransomware attack. The goal was to understand attacker behavior across the full lifecycle - from reconnaissance to impact - and identify key detection opportunities along the way.
This exercise builds on my previous Tor Browser investigation and continues my focus on practical threat hunting using KQL (Kusto Query Language) and endpoint telemetry.
π― Attack Overview
The attack followed a typical ransomware playbook:
- π½ Tool delivery using LOLBins
- π Network reconnaissance
- π Credential discovery
- π₯οΈ Remote access establishment
- π¦ Data staging
- π£ Ransomware deployment
- 𧨠Backup destruction
- π§Ή Evidence cleanup
The ransomware payload identified during the investigation was:
-
Filename:
updater.exe -
SHA256:
e609d070ee9f76934d73353be4ef7ff34b3ecc3a2d1e5d052140ed4cb9e4752b
Encryption activity began at:
22:18:33 UTCπ Key Investigation Findings
π°οΈ Reconnaissance
The attacker used:
advanced_ip_scanner.exeto identify accessible systems on the network.
π This is a common early-stage technique that often goes unnoticed.
π Credential Discovery
The following command was used to identify the LSASS process:
tasklist | findstr lsassThis indicates preparation for potential credential access or dumping.
π Command and Control
Persistence was established using:
AnyDesk.exeπ This allowed the attacker to maintain remote access and execute commands across the environment.
π¦ Data Staging
Prior to ransomware deployment, files were compressed.
This behavior is consistent with:
- pre-exfiltration staging
- preparation for encryption
π Archive creation in suspicious directories is a strong detection signal.
π£ Ransomware Deployment
The ransomware binary:
updater.exewas executed, marking the transition to the impact phase.
𧨠Defense Evasion
To prevent recovery, the attacker deleted shadow copies:
vssadmin delete shadows /all /quietπ This is one of the most reliable indicators of ransomware activity.
π§Ή Evidence Cleanup
After execution, the attacker removed the ransomware binary.
This suggests an attempt to:
- reduce forensic artifacts
- evade detection
π¨ Detection Opportunities
This attack presents multiple opportunities for early detection:
- βοΈ Monitoring LOLBin usage
- π Detecting network scanning tools
- π Identifying credential discovery commands
- 𧨠Alerting on shadow copy deletion
- π¦ Tracking suspicious archive creation
π Several of these signals appear before encryption begins, which is critical for prevention.
π§ Key Takeaways
- Ransomware attacks follow predictable behavioral patterns
- Early-stage activity is often detectable with proper telemetry
- Correlating process, file, and network events is essential
- Defender + KQL provides strong visibility for threat hunting
𧩠Conclusion
This investigation demonstrates how structured threat hunting can reconstruct attacker behavior without relying on alerts alone.
By mapping activity to the MITRE ATT&CK framework and analyzing endpoint telemetry, it is possible to identify and disrupt attacks before they reach the encryption stage.
π¬ Final Thoughts
Threat hunting is not just about detecting malware - itβs about understanding attacker behavior.
The more you can recognize patterns, the earlier you can respond.
π₯ Download the Executive Summary Report
π Ransomware Threat Hunting Summary Report (PDF)
π Full report and supporting files available on GitHub
- π§ͺ KQL Queries Used: Included in the repository
β οΈ Disclaimer: This project is a simulated threat hunting exercise created for educational and portfolio purposes. The environment, devices, and user accounts referenced are part of a controlled lab environment and do not represent real-world systems or individuals.
Thanks for reading! π
If you're interested in security governance, GRC frameworks, or enterprise risk programs - feel free to connect with me on LinkedIn.
Feel free to reach out with questions or thoughts.