Query Details

WDAC Recommended Block List

MDE WDAC Block List

Query

let wdacblock = (externaldata(lolbin: string)
    [@"https://raw.githubusercontent.com/alexverboon/Hunting-Queries-Detection-Rules/main/ExternalData/wdacblockrules.txt"] 
    with (format="txt", ignoreFirstRecord=true));
DeviceProcessEvents 
| where FileName in (wdacblock) or InitiatingProcessFileName in (wdacblock)

About this query

WDAC Recommended Block List

Query Information

Description

Use the below query to identify processes that are on Microsoft's recommended WDAC block list

References

Microsoft 365 Defender

Identify processes that are on the WDAC recommended block list

Another approach shared by Kim Oppalfens let wdacblock = (externaldata(lolbin: string) [@"https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md"] with (format="txt", ignoreFirstRecord=true)); wdacblock | where lolbin has '<Deny ID="ID_DENY_' | extend lolbinxml = parse_xml(lolbin)

Explanation

This query is used to identify processes that are on Microsoft's recommended WDAC (Windows Defender Application Control) block list. It retrieves a list of processes from an external data source and then filters the DeviceProcessEvents table to find processes whose FileName or InitiatingProcessFileName match the processes in the block list.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceProcessEventswdacblock

Keywords

DevicesIntuneUser

Operators

letexternaldatawithformatignoreFirstRecordDeviceProcessEventswhereinorFileNameInitiatingProcessFileNameextendparse_xml

Actions

GitHub