ExploitGuardControlledFolderAccess (2)

Hunt Hypothesis

Attackers may be attempting to bypass Controlled Folder Access by exploiting misconfigurations or evasion tactics, which could indicate a broader persistence or data exfiltration strategy. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity that could evade standard endpoint protections.

KQL Query

// Exploit Guard Controlled Folder Access details
DeviceEvents 
| where ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by Timestamp desc 
| project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId

Analytic Rule Definition

id: 01dacb6d-4964-42a5-b248-516fc40d605d
name: ExploitGuardControlledFolderAccess (2)
description: |
  Total Controlled Folder Access events.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  // Exploit Guard Controlled Folder Access details
  DeviceEvents 
  | where ActionType contains "ControlledFolderAccess"
  | extend JsonOut = parse_json(AdditionalFields)
  | sort by Timestamp desc 
  | project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType,  
           FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
           JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardControlledFolderAccess (2).yaml)

False Positive Guidance

Scenario: System update or patching process using Windows Update or Group Policy Preferences (GPP)
Filter/Exclusion: Exclude events where the source is Windows Update or Group Policy Preferences and the folder is within the system protected directories (e.g., C:\Windows, C:\Program Files).
Scenario: Scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude events where the process name is VeeamBackup.exe or CommvaultService.exe and the folder is a known backup destination (e.g., D:\Backups, \\backupserver\share).
Scenario: Administrative task involving PowerShell or Task Scheduler to modify protected folders
Filter/Exclusion: Exclude events where the process is powershell.exe or schtasks.exe and the user is a domain admin or has elevated privileges (e.g., User = NT AUTHORITY\SYSTEM).
Scenario: Antivirus or endpoint protection software (e.g., Microsoft Defender, Kaspersky, Bitdefender) performing a scan or quarantine action
Filter/Exclusion: Exclude events where the process is MsMpEng.exe or KavService.exe and the folder is within the antivirus quarantine or scan directory (e.g., C:\ProgramData\Microsoft\Windows Defender\Scans).
Scenario: User manually accessing protected folders for troubleshooting or support purposes
Filter/Exclusion: Exclude events where the user is a helpdesk or support admin and the folder is a known support directory (e.g., C:\SupportTools, C:\Logs).