Technical blog by Stephan Berger (@malmoeb)

dfir.ch

A detailed investigation into ransomware alerts triggered by Windows Defender for Endpoint reveals that suspicious network traffic originated from connection attempts to internet-exposed servers. The analysis demonstrates how to use KQL queries and timeline analysis to distinguish between actual threats and false positives, showing that ConnectionAttempt events alone don't indicate successful compromise. The investigation emphasizes the importance of comprehensive timeline analysis over GUI-based alert review, and provides practical queries for identifying internet-facing devices and validating security incidents.

Oh my .. ! - Suspicious network traffic detected including Ransomware