← Back to SOC feed Coverage →

ExploitGuardBlockOfficeChildProcess (2)

kql MEDIUM Azure-Sentinel
DeviceEvents
exploithuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-24T23:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may bypass Exploit Guard protections by creating malicious child processes from Office applications to execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent lateral movement or data exfiltration.

KQL Query


// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes - MTP Schema
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
// Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
// Query #1 is used after setting it to block mode - to analyze the block stats.
// Tags: #ASR
//Query #1: block stats
DeviceEvents
| where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
| summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
| sort by MachineCount desc

Analytic Rule Definition

id: 6df0dd4f-5572-4ab9-bde7-1f322547bff7
name: ExploitGuardBlockOfficeChildProcess (2)
description: |
  These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes.
  (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a).
  Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.
  Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
  You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
  Query #1 is used after setting it to block mode - to analyze the block stats.
  Tags: #ASR.
  Query #1: block stats.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |2-

  // These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes - MTP Schema
  // (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
  // Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
  // Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
  // You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
  // Query #1 is used after setting it to block mode - to analyze the block stats.
  // Tags: #ASR
  //Query #1: block stats
  DeviceEvents
  | where ActionType == "AsrOfficeChildProcessBlocked" and Timestamp > ago(7d)
  | project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
  | summarize MachineCount=dcount(DeviceName), RuleHits=count() by BlockedProcess, ParentProcess
  | sort by MachineCount desc

Required Data Sources

Sentinel TableNotes
DeviceEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardBlockOfficeChildProcess (2).yaml