Users may be bypassing SmartScreen application block warnings to execute potentially malicious files, indicating possible adversary evasion tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution attempts that bypass built-in application control mechanisms.
KQL Query
let minTimeRange = ago(7d);
let smartscreenAppBlocks =
DeviceEvents
| where ActionType == "SmartScreenAppWarning" and Timestamp > minTimeRange
// Filter out SmartScreen test files downloaded from https://demo.smartscreen.msft.net/
and not (FileName startswith "knownmalicious" and FileName endswith ".exe")
| extend ParsedFields=parse_json(AdditionalFields)
| project Timestamp, DeviceName, BlockedFileName=FileName, SHA1, Experience=tostring(ParsedFields.Experience), ActivityId=tostring(ParsedFields.ActivityId), InitiatingProcessFileName;
// Query for UserDecision events - each one means the user has decided to ignore the warning and run the app.
let userIgnoredWarning=
DeviceEvents
| where ActionType == "SmartScreenUserOverride" and Timestamp > minTimeRange
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string));
// Join the block and user decision event using an ActivityId
let ignoredBlocks =
smartscreenAppBlocks
| join kind=leftsemi (userIgnoredWarning) on DeviceName, ActivityId
| project-away ActivityId;
ignoredBlocks
// Select only blocks on "Malicious" files.
// To hunt over Unknown/Untrusted files, remove the following where clause, but then you might want to join with additional signals.
| where Experience == "Malicious"
id: 333ad16e-620b-4f36-af3b-da33f8d16cc2
name: SmartScreen app block ignored by user
description: |
Query for SmartScreen application blocks on files with "Malicious" reputation, where the user has decided to run the malware nontheless.
Read more about SmartScreen here: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.
Data availability: These events are available only on Windows 10 version 1703 and onwards.
Tags: #SmartScreen.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let minTimeRange = ago(7d);
let smartscreenAppBlocks =
DeviceEvents
| where ActionType == "SmartScreenAppWarning" and Timestamp > minTimeRange
// Filter out SmartScreen test files downloaded from https://demo.smartscreen.msft.net/
and not (FileName startswith "knownmalicious" and FileName endswith ".exe")
| extend ParsedFields=parse_json(AdditionalFields)
| project Timestamp, DeviceName, BlockedFileName=FileName, SHA1, Experience=tostring(ParsedFields.Experience), ActivityId=tostring(ParsedFields.ActivityId), InitiatingProcessFileName;
// Query for UserDecision events - each one means the user has decided to ignore the warning and run the app.
let userIgnoredWarning=
DeviceEvents
| where ActionType == "SmartScreenUserOverride" and Timestamp > minTimeRange
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string));
// Join the block and user decision event using an ActivityId
let ignoredBlocks =
smartscreenAppBlocks
| join kind=leftsemi (userIgnoredWarning) on DeviceName, ActivityId
| project-away ActivityId;
ignoredBlocks
// Select only blocks on "Malicious" files.
// To hunt over Unknown/Untrusted files, remove the following where clause, but then you might want to join with additional signals.
| where Experience == "Malicious"
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: User bypasses SmartScreen block during file download using Windows Defender’s “Allow” option.
Filter/Exclusion: Check for ProcessCommandLine containing /allow or use ProcessBehavior to identify manual override actions.
Scenario: System administrators use Windows Defender’s “Allow” feature to bypass SmartScreen for known trusted files during software deployment.
Filter/Exclusion: Filter by ProcessName containing msedge.exe or WindowsDefender and check for CommandLine with /allow or /trusted.
Scenario: A scheduled job or automation tool (e.g., PowerShell script or SCCM task) downloads and executes a file that triggers SmartScreen, but the user has already allowed it.
Filter/Exclusion: Use ProcessParent to identify parent processes like schtasks.exe or taskhost.exe and exclude known automation tools.
Scenario: A legitimate enterprise application (e.g., Microsoft Office, Adobe Acrobat) is installed via a trusted source, but SmartScreen flags it due to a false positive.
Filter/Exclusion: Filter by ProcessName matching known enterprise apps or use FileHash to match known trusted files.
Scenario: A user manually allows a file through SmartScreen during a test or demo, and the system logs the block as a false positive.
Filter/Exclusion: Use ProcessCommandLine to detect /allow or check for UserAction indicating manual override in the event log.