Disable Controlled Folders

Hunt Hypothesis

The hunt hypothesis detects an adversary disabling controlled folders as a precursor to deploying ransomware, indicating preparation for data encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware campaigns early and mitigate impact.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessFileName =~ 'cmd.exe' 
| where FileName =~ 'powershell.exe' and ProcessCommandLine has('powershell.exe  -command "Set-MpPreference -EnableControlledFolderAccess Disabled"')

Analytic Rule Definition

id: 176cd213-94d7-4984-9b3b-b787ed8a1c55
name: Disable Controlled Folders
description: |
  Prior to deploying Macaw ransomware in an organization, the adversary will disable all controlled folders, which will enable them to be encrypted once the ransomware payload is deployed.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  DeviceProcessEvents 
  | where InitiatingProcessFileName =~ 'cmd.exe' 
  | where FileName =~ 'powershell.exe' and ProcessCommandLine has('powershell.exe  -command "Set-MpPreference -EnableControlledFolderAccess Disabled"')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Disable Controlled Folders.yaml)

False Positive Guidance

Scenario: System Maintenance Task to Clear Temporary Files
Description: A scheduled job (e.g., Cleanup or Disk Cleanup) runs and deletes files from controlled folders as part of routine maintenance.
Filter/Exclusion: process.name != "Disk Cleanup" AND process.name != "Cleanup" AND process.name != "ccleaner"
Scenario: User-Initiated File Deletion via Finder
Description: A user manually deletes files from a controlled folder using Finder or the terminal, which could be mistaken for an adversarial action.
Filter/Exclusion: process.name != "Finder" AND process.name != "Terminal" AND process.name != "bash"
Scenario: Admin Task to Reclaim Disk Space
Description: An administrator uses a tool like Disk Inventory X or DaisyDisk to remove unnecessary files from controlled folders.
Filter/Exclusion: process.name != "Disk Inventory X" AND process.name != "DaisyDisk" AND process.name != "Drive Genius"
Scenario: Backup Job Removing Old Files
Description: A backup tool (e.g., rsync, Time Machine, or Veeam) removes old files from a controlled folder during a cleanup phase.
Filter/Exclusion: process.name != "rsync" AND process.name != "Time Machine" AND process.name != "Veeam"
Scenario: System Integrity Check or Security Scan
Description: A security tool like Malwarebytes, Bitdefender, or ClamAV performs a scan and deletes files from a controlled folder as part of its cleanup process.
Filter/Exclusion: process.name != "Malwarebytes" AND process.name != "Bitdefender" AND process.name != "ClamAV"