ExploitGuardControlledFolderAccess (1)

Hunt Hypothesis

Attackers may attempt to bypass Controlled Folder Access by exploiting misconfigurations or evasion techniques, which could grant them unauthorized access to sensitive system folders. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation or data exfiltration attempts that evade standard detection mechanisms.

KQL Query

 // Controlled Folder Access events across devices
DeviceEvents
 | where ActionType startswith "ControlledFolderAccess" 
 | summarize AsrDetections=count() by DeviceName
 | order by AsrDetections desc

Analytic Rule Definition

id: ce33163e-68ba-470e-8641-ed61d43d38e1
name: ExploitGuardControlledFolderAccess (1)
description: |
  Total Controlled Folder Access events.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |2-
   // Controlled Folder Access events across devices
  DeviceEvents
   | where ActionType startswith "ControlledFolderAccess" 
   | summarize AsrDetections=count() by DeviceName
   | order by AsrDetections desc

Required Data Sources

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardControlledFolderAccess (1).yaml)

False Positive Guidance

• Scenario: System update or patching using Windows Update or Group Policy Preferences (GPP)
  Filter/Exclusion: Exclude events where the source is Microsoft Windows Update or Group Policy Preferences and the action is related to folder access configuration.

• Scenario: Microsoft Defender Antivirus performing a scan or real-time protection update
  Filter/Exclusion: Exclude events where the source is Microsoft Defender Antivirus and the event type is related to scan or update activity.

• Scenario: Scheduled Task running a legitimate script or tool that accesses protected folders (e.g., PowerShell, cmd.exe, or rsync)
  Filter/Exclusion: Exclude events where the process is associated with a known scheduled task (e.g., Task Scheduler) and the command line includes legitimate tools or scripts.

• Scenario: Administrative Task such as configuring Controlled Folder Access via Group Policy or Local Group Policy Editor
  Filter/Exclusion: Exclude events where the process is gpedit.msc or gpupdate.exe and the action is related to policy configuration.

• Scenario: Backup or Sync Tool (e.g., Veeam, SyncToy, OneDrive) accessing protected folders during synchronization
  Filter/Exclusion: Exclude events where the process is associated with a known backup or sync tool and the folder path matches a known sync directory.