Adversaries may exploit the Block Office applications from creating child processes rule to bypass process restrictions and execute malicious child processes. SOC teams should proactively hunt for this behavior to identify potential evasion tactics and prevent unauthorized process creation in their Azure Sentinel environment.
KQL Query
DeviceEvents
| where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
| summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
| sort by MachineCount desc
id: 835e8f87-f387-4ee5-ab79-d03b5e5e816b
name: ExploitGuardBlockOfficeChildProcess
description: |
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes.
(Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a).
Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.
Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
Query #1 is used after setting it to block mode - to analyze the block stats.
Tags: #ASR.
Query #1: block stats.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
| summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
| sort by MachineCount desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Running Microsoft Word to Generate Reports
Description: A scheduled task runs Microsoft Word to generate a report from a template, which creates a child process (e.g., Excel or Word itself).
Filter/Exclusion: process.parent_process_name:"schtasks.exe" or process.parent_process_path:"C:\\Windows\\System32\\schtasks.exe"
Scenario: System Administrator Using PowerShell to Launch Excel for Data Analysis
Description: An admin uses PowerShell to launch Excel for data manipulation, which creates a child process.
Filter/Exclusion: process.parent_process_name:"powershell.exe" and process.parent_process_user:"Administrator"
Scenario: Microsoft Outlook Creating a Child Process to Send an Email with an Attachment
Description: Outlook creates a child process (e.g., Excel or Word) to prepare an email with an attachment.
Filter/Exclusion: process.parent_process_name:"outlook.exe" or process.parent_process_path:"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
Scenario: Antivirus Software Scanning Office Documents and Launching a Child Process
Description: Antivirus software like Bitdefender or Kaspersky scans an Office document and launches a child process to analyze the file.
Filter/Exclusion: process.parent_process_name:"avast.exe" or process.parent_process_name:"kavservice.exe"
Scenario: User Launching a Macro-Enabled Excel File That Spawns a Child Process
Description: A user opens a macro-enabled Excel file that triggers a script or another Office application (e.g., Word) to run a macro.
Filter/Exclusion: process.parent_process_name:"excel.exe" and process.command_line:"-a" (for macro-enabled files)