ExploitGuardStats | SOC Hunt Feed

Hunt Hypothesis

ExploitGuardStats detects potential adversary activity by identifying unusual patterns in ExploitGuard block events, which may indicate attempts to bypass endpoint protections. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy attacks that evade traditional detection mechanisms.

KQL Query

DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType

Analytic Rule Definition

id: e76703a0-21f4-4c20-8d4b-92e1768cf240
name: ExploitGuardStats
description: |
  Get stats on ExploitGuard blocks - count events and machines per rule.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  DeviceEvents
  | where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
  // Count total stats - count events and machines per rule
  | summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardStats.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a system maintenance script that temporarily triggers ExploitGuard blocks due to unexpected behavior or registry changes.
Filter/Exclusion: Exclude events where the source is a known system maintenance task (e.g., Task Scheduler or TaskName like SystemMaintenance).
Scenario: Windows Update or Patch Deployment
Description: Windows Update or a third-party patching tool (e.g., Microsoft Endpoint Manager, SCCM) may trigger ExploitGuard blocks during installation due to changes in system files or registry.
Filter/Exclusion: Exclude events where the source is a known patching tool (e.g., Microsoft Endpoint Manager, SCCM, or WindowsUpdate) or where the event is associated with a known update process.
Scenario: Security Software Compatibility Check
Description: A security tool (e.g., Bitdefender, Kaspersky) may perform a compatibility check with ExploitGuard, causing temporary blocks or alerts.
Filter/Exclusion: Exclude events where the source is a known security software (e.g., Bitdefender, Kaspersky, Malwarebytes) or where the event is associated with a compatibility scan.
Scenario: Administrative Script or PowerShell Job
Description: An administrative script or PowerShell job (e.g., PowerShell.exe or Task Scheduler) may trigger ExploitGuard blocks due to elevated privileges or system configuration changes.
Filter/Exclusion: Exclude events where the source is a known administrative tool (e.g., PowerShell.exe, Task Scheduler, or Administrative Tools) or where the process is initiated by a trusted admin account.
Scenario: ExploitGuard Policy Enforcement
Description: ExploitGuard itself may generate alerts