Adversaries may attempt to exploit known vulnerabilities by establishing unauthorized network connections that ExploitGuard blocks, indicating potential malicious activity. SOC teams should proactively hunt for these events in Azure Sentinel to identify and mitigate potential exploitation attempts early.
KQL Query
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType =~ "ExploitGuardNetworkProtectionBlocked"
| summarize count_RemoteUrl = count() by InitiatingProcessFileName, RemoteUrl, Audit_Only=tostring(parse_json(AdditionalFields).IsAudit)
| sort by count_RemoteUrl desc
id: 47bf14f0-c6b7-4dd3-a13f-b9a3e7972e2f
name: ExploitGuardNetworkProtectionEvents
description: |
Simple query to show the unique network connections that were audited or blocked by ExploitGuard.
For more questions on this query, feel free to ping @FlyingBlueMonki on twitter or [email protected] via email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType =~ "ExploitGuardNetworkProtectionBlocked"
| summarize count_RemoteUrl = count() by InitiatingProcessFileName, RemoteUrl, Audit_Only=tostring(parse_json(AdditionalFields).IsAudit)
| sort by count_RemoteUrl desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: System Update via Windows Update
Description: A legitimate Windows Update process may trigger network connections audited or blocked by ExploitGuard during the update process.
Filter/Exclusion: process.name: "wuauclt.exe" or process.name: "svchost.exe" with parent process "svchost.exe" and command line containing "Windows Update"
Scenario: Scheduled Job Running Antivirus Scan
Description: A scheduled antivirus scan (e.g., Microsoft Defender) may result in network connections being audited or blocked by ExploitGuard.
Filter/Exclusion: process.name: "MsMpEng.exe" or process.name: "mpsvc.exe" with process.parent.name: "taskeng.exe"
Scenario: Admin Task Using PowerShell for Network Configuration
Description: An administrator may use PowerShell to configure network settings (e.g., netsh or ipconfig) which could trigger ExploitGuard network audit events.
Filter/Exclusion: process.name: "powershell.exe" with process.command_line: "netsh" or "ipconfig"
Scenario: Remote Desktop Protocol (RDP) Connection
Description: A legitimate RDP connection to a server may result in network connections being logged by ExploitGuard.
Filter/Exclusion: process.name: "mstsc.exe" or process.name: "rdpclip.exe" with process.parent.name: "explorer.exe"
Scenario: Network Discovery by System Center Configuration Manager (SCCM)
Description: SCCM agents may perform network discovery tasks that result in ExploitGuard audit events.
Filter/Exclusion: process.name: "ccmexec.exe" or process.name: "smsexec.exe" with `process.parent.name: “svchost.exe