Adversaries may attempt to bypass Controlled Folder Access by exploiting misconfigurations or leveraging privilege escalation to evade detection. SOC teams should proactively hunt for this behavior to identify potential bypasses of endpoint protection mechanisms in their Azure Sentinel environment.
KQL Query
DeviceEvents
| where ActionType startswith "ControlledFolderAccess"
| summarize NumberOfEvents=count() by ActionType
| sort by NumberOfEvents desc
id: c4e021bc-59f8-4464-9f93-3b08d8b28cc3
name: ExploitGuardControlledFolderAccess
description: |
Total Controlled Folder Access events.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where ActionType startswith "ControlledFolderAccess"
| summarize NumberOfEvents=count() by ActionType
| sort by NumberOfEvents desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually configuring Controlled Folder Access settings via the Group Policy Management Console (GPMC).
Filter/Exclusion: Exclude events where the source process is gpmc.exe or gpedit.msc and the user is a domain administrator.
Scenario: A scheduled task is running a script that temporarily modifies files in a protected folder as part of a routine maintenance job.
Filter/Exclusion: Exclude events where the source process is schtasks.exe and the task is known to be part of a documented maintenance process (e.g., MaintenanceTask_ScriptCleanup).
Scenario: A security tool such as Malwarebytes or Bitdefender is performing a scan and accessing protected folders as part of its malware detection process.
Filter/Exclusion: Exclude events where the source process is mbam.exe, bdagent.exe, or similar security tool executables.
Scenario: An IT support tool like Microsoft Endpoint Manager (MEM) or Intune is accessing protected folders to deploy or update policies.
Filter/Exclusion: Exclude events where the source process is mpcmdrun.exe (Microsoft Defender) or intunewin.exe and the action is related to policy deployment.
Scenario: A user is using Windows File History or OneDrive sync to back up or sync files, which may involve accessing protected folders.
Filter/Exclusion: Exclude events where the source process is wbemcons.exe (for File History) or OneDrive.exe and the action is related to backup or sync operations.