← Back to SOC feed Coverage →

ExploitGuardBlockOfficeChildProcess (1)

kql MEDIUM Azure-Sentinel
AlertEvidenceDeviceEvents
exploithuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-24T23:00:00Z · Confidence: medium

Hunt Hypothesis

These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https

KQL Query

// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
// Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
// Query #1 is used after setting it to block mode - to analyze the block stats.
// Tags: #ASR
// Query #2: investigate audit events - before turning the rule on in block mode
let minTime = ago(7d);
// Enrich the ExploitGuard events with column saying if there was a nearby Microsoft Defender for Endpoint alert or not.
// If there was an alert, so this is probably malware, and it's good that it will be blocked.
// If there was no alert, so it requires further analysis to determine if this is a clean file or some malware that was missed.
let alerts =
    AlertInfo 
    | where Timestamp > minTime
    | join AlertEvidence on AlertId
    | project DeviceName, DetectedTimestamp=Timestamp
;
DeviceEvents
| where ActionType == "AsrOfficeChildProcessAudited" and Timestamp > minTime
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp
| join kind=leftouter (alerts) on DeviceName
| extend HasNearbyAlert = abs(Timestamp - DetectedTimestamp) between (0min .. 5min)
| summarize MachineCount=dcount(DeviceName),
            RuleHits=count(),
            NearbyAlertPercent=countif(HasNearbyAlert)*100.0 / count() 
            by BlockedProcess, ParentProcess
| sort by MachineCount desc

Analytic Rule Definition

id: fed32a95-bba6-47a6-8519-8d2a2cee97f9
name: ExploitGuardBlockOfficeChildProcess (1)
description: |
  These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes.
  (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a).
  Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.
  Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
  You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
  Query #1 is used after setting it to block mode - to analyze the block stats.
  Tags: #ASR.
  Query #1: block stats.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
  - DeviceEvents
query: |
  // These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes
  // (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
  // Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
  // Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
  // You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
  // Query #1 is used after setting it to block mode - to analyze the block stats.
  // Tags: #ASR
  // Query #2: investigate audit events - before turning the rule on in block mode
  let minTime = ago(7d);
  // Enrich the ExploitGuard events with column saying if there was a nearby Microsoft Defender for Endpoint alert or not.
  // If there was an alert, so this is probably malware, and it's good that it will be blocked.
  // If there was no alert, so it requires further analysis to determine if this is a clean file or some malware that was missed.
  let alerts =
      AlertInfo 
      | where Timestamp > minTime
      | join AlertEvidence on AlertId
      | project DeviceName, DetectedTimestamp=Timestamp
  ;
  DeviceEvents
  | where ActionType == "AsrOfficeChildProcessAudited" and Timestamp > minTime
  | project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp
  | join kind=leftouter (alerts) on DeviceName
  | extend HasNearbyAlert = abs(Timestamp - DetectedTimestamp) between (0min .. 5min)
  | summarize MachineCount=dcount(DeviceName),
              RuleHits=count(),
              NearbyAlertPercent=countif(HasNearbyAlert)*100.0 / count() 
              by BlockedProcess, ParentProcess
  | sort by MachineCount desc

Required Data Sources

Sentinel TableNotes
AlertEvidenceEnsure this data connector is enabled
DeviceEventsEnsure this data connector is enabled

False Positive Guidance

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess (1).yaml