These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes. (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a). Read more about it here: https
// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes - MTP Schema
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
// Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
// Query #1 is used after setting it to block mode - to analyze the block stats.
// Tags: #ASR
// Query #2: investigate audit events - before turning the rule on in block mode
let minTime = ago(7d);
// Enrich the ExploitGuard events with column saying if there was a nearby Windows Defender ATP alert or not.
// If there was an alert, so this is probably malware, and it's good that it will be blocked.
// If there was no alert, so it requires further analysis to determine if this is a clean file or some malware that was missed.
let alerts =
AlertInfo | join AlertEvidence on AlertId
| where Timestamp > minTime
| project DeviceName, DetectedTimestamp=Timestamp;
DeviceEvents
| where ActionType == "AsrOfficeChildProcessAudited" and Timestamp > minTime
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp
| join kind=leftouter (alerts) on DeviceName
| extend HasNearbyAlert = abs(Timestamp - DetectedTimestamp) between (0min .. 5min)
| summarize MachineCount=dcount(DeviceName),
RuleHits=count(),
NearbyAlertPercent=countif(HasNearbyAlert)*100.0 / count()
by BlockedProcess, ParentProcess
| sort by MachineCount desc
id: 521f58f9-92b8-407b-9434-798a9f527b3c
name: ExploitGuardBlockOfficeChildProcess (3)
description: |
These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes.
(Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a).
Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.
Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
Query #1 is used after setting it to block mode - to analyze the block stats.
Tags: #ASR.
Query #1: block stats.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceEvents
query: |
// These queries check telemetry from the Exploit Guard rule: Rule: Block Office applications from creating child processes - MTP Schema
// (Rule ID d4f940ab-401b-4efc-aadc-ad5f3c50688a)
// Read more about it here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
// Oftentimes organizations enable this rule in audit mode and check the results before setting block mode.
// You can use query #2 to measure the rule impact on your network in audit mode before turning it to block mode.
// Query #1 is used after setting it to block mode - to analyze the block stats.
// Tags: #ASR
// Query #2: investigate audit events - before turning the rule on in block mode
let minTime = ago(7d);
// Enrich the ExploitGuard events with column saying if there was a nearby Windows Defender ATP alert or not.
// If there was an alert, so this is probably malware, and it's good that it will be blocked.
// If there was no alert, so it requires further analysis to determine if this is a clean file or some malware that was missed.
let alerts =
AlertInfo | join AlertEvidence on AlertId
| where Timestamp > minTime
| project DeviceName, DetectedTimestamp=Timestamp;
DeviceEvents
| where ActionType == "AsrOfficeChildProcessAudited" and Timestamp > minTime
| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp
| join kind=leftouter (alerts) on DeviceName
| extend HasNearbyAlert = abs(Timestamp - DetectedTimestamp) between (0min .. 5min)
| summarize MachineCount=dcount(DeviceName),
RuleHits=count(),
NearbyAlertPercent=countif(HasNearbyAlert)*100.0 / count()
by BlockedProcess, ParentProcess
| sort by MachineCount desc
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceEvents | Ensure this data connector is enabled |
excel.exe spawning mscomctl.ocx).