Ransomware Detection And Protection Link | Marius Sandbu Windows

Marius Sandbu, a prominent voice in Windows security and Azure Arc, consistently emphasizes a hard truth: True protection requires a defense-in-depth loop— Prevent → Detect → Respond → Recover.

| Phase | Observable (Windows Event Log) | Detection Logic | |-------|-------------------------------|------------------| | Recon | 5145 (network share enumeration) + 4624 (anomalous logon from non-corporate IP) | Time-based anomaly: user accessing 50+ shares in 5 minutes | | Lateral movement | 5140 (SMB share accessed) followed by 4688 with schtasks.exe /create | Remote task creation immediately after share mount | | Ransomware execution | 4688 with vssadmin.exe delete shadows + bcdedit /set | Volume shadow copy deletion + boot config modification | | Encryption | 4656 (many DELETE or ENCRYPTION file handles) + 5145 (share write spike) | File handle activity > 500/sec from single process | marius sandbu windows ransomware detection and protection

Don’t hunt for *.encrypted —hunt for deleted shadow copies + high file rename activity within 60 seconds. KQL (Kusto) example for Microsoft Sentinel: Event | where EventID == 4688 | where Process contains "vssadmin.exe" and CommandLine contains "delete shadows" | join kind=inner ( Event | where EventID == 4656 | where AccessMask == "0x0012019f" // FILE_WRITE_DATA | FILE_APPEND_DATA | summarize FileOps = count() by Computer, ProcessId, bin(TimeGenerated, 1m) where FileOps > 300 ) on Computer, ProcessId | project TimeGenerated, Computer, User, ParentProcess, CommandLine 4. Recovery: The Immutable Escape Hatch Detection means nothing if backups can be encrypted or deleted. Marius Sandbu, a prominent voice in Windows security