Windows 10 Controlled Folder Access Event Search

Dear IT Pros,

Ransomware acts with accessing to the files, folders and encrypting  them, to respond against it, we need to enable the Windows Defender feature named “Controlled Folder Access” – WDCFA and monitor the Windows Defender Guard Events in Windows Event Viewer. The best way is possibly collecting the related activities by Advanced Hunting features of Microsoft 365 Security or Defender for Endpoint.

Could we search for Event ID by running the advanced hunting query or not?

We will discuss the above topic today.

To View or change the list of protected folders

You can use the Windows Security app to view the list of folders that are protected by controlled folder access.

  1. On your Windows 10 device, open the Windows Security app.
  2. Select Virus & threat protection.
  3. Under Ransomware protection, select Manage ransomware protection.TanTran_0-1620219914755.png
  4. If controlled folder access is turned off, you'll need to turn it on. Select protected folders.
  5. Do one of the following steps:
    • To add a folder, select + Add a protected folder.
    • To remove a folder, select it, and then select Remove.

 Note

Windows system folders are protected by default, and you cannot remove them from the list.

To Enable Controlled Folder Access by powershell command:

> Set-MpPreference -EnableControlledFolderAccess EnabledTanTran_0-1620222298712.png

  • If you want to add a file or folder to be protected:

Add-MpPreference -ControlledFolderAccessProtectedFolders “C:UsersabcUserOneDrive – Microsoft”

TanTran_1-1620222298718.png
  • To remove a protected folder:

         > Remove-MpPreference -ControlledFolderAccessProtectedFolders “C:UsersabcUserOneDrive – Microsoft”

TanTran_2-1620222298734.png
  • If you want to add a specific app that you trust to access your files and folders, type this command:

          > Add-MpPreference -ControlledFolderAccessAllowedApplications “C:Program FilesWindows Photo ViewerImagingDevices.exe”

  • If you want to remove a specific app, type this command and indicate its location at the end: 

          > Remove-MpPreference -ControlledFolderAccessAllowedApplications “C:Program FilesWindows Photo ViewerImagingDevices.exe”

Review controlled folder access events in Windows Event Viewer

The following table shows events related to controlled folder access:

Event IDDescription
5007Event when settings are changed
1124Audited controlled folder access event
1123Blocked controlled folder access event

You can review the Windows event log and look for events which were created when controlled folder access of Windows Defender had blocked (or reported in audit mode) an app ‘s activity of accessing to the related folders, steps to follow:

  1. Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.

 Content of cfa-events.xml is shown in the following lines:

TanTran_0-1620215105355.png
  1. Type Event viewer in the Start menu to open the Windows Event Viewer.
  2. On the left panel, under Actions, select Import custom view….
  3. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy the XML directly.
  4. Select OK.
TanTran_1-1620215105376.png

Review controlled folder access events in the Microsoft 365 Security.

M365 Security portal, advanced hunting provides detailed information of Windows Defender events as part of its alert investigation scenarios.

You can query Microsoft 365 Security data by using Advanced hunting. For Controlled Folder Access, if you are enable it audit mode, you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.

To query Controlled Folder Access Events by Powershell, :

DeviceEvents
| where ActionType in (‘ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

Advanced Hunting for Controlled Folder Access Events

Query Table

WDAC- Windows Defender Application ControlDeviceEvents
| where Timestamp > ago(7d) and ActionType startswith “AppControl”
| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
Monthly report on Vulnerability

DeviceTvmSoftwareInventoryVulnerabilities 

| project  DeviceName, SoftwareName, CveId, SoftwareVersion, VulnerabilitySeverityLevel

| join (DeviceTvmSoftwareVulnerabilitiesKB

| project AffectedSoftware, VulnerabilityDescription , CveId , CvssScore , IsExploitAvailable

           )

                on CveId

| project CveId , SoftwareName , SoftwareVersion , VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable , CvssScore

| distinct SoftwareName , SoftwareVersion, CveId, VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable 

| sort by SoftwareName asc , SoftwareVersion

WD-ASR Event

DeviceEvents

| where ActionType == “AsrOfficeChildProcessAudited” and Timestamp > minTime

| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp

WD-CFA Controlled Folder Access Event DeviceEvents
| where ActionType in (‘ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
  • We could not query by Event ID.

Until today, the built-in Defender for Endpoint sensor does not allow raw ETW access using Advanced Hunting nor forwards them.

  • In Event Viewer, using XML to filter events related to Windows 10 Defender Guard,

the Event IDs are listed in the following Event Table:

FeatureProvider/sourceEvent IDDescription
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)1ACG audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)2ACG enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)3Do not allow child processes audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)4Do not allow child processes block
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)5Block low integrity images audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)6Block low integrity images block
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)7Block remote images audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)8Block remote images block
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)9Disable win32k system calls audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)10Disable win32k system calls block
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)11Code integrity guard audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)12Code integrity guard block
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)13EAF audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)14EAF enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)15EAF+ audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)16EAF+ enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)17IAF audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)18IAF enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)19ROP StackPivot audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)20ROP StackPivot enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)21ROP CallerCheck audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)22ROP CallerCheck enforce
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)23ROP SimExec audit
Exploit protectionSecurity-Mitigations (Kernel Mode/User Mode)24ROP SimExec enforce
Exploit protectionWER-Diagnostics5CFG Block
Exploit protectionWin32K (Operational)260Untrusted Font
protectionWindows Defender (Operational)5007Event when settings are changed
protectionWindows Defender (Operational)1125Event when protection fires in Audit-mode
Network protectionWindows Defender (Operational)1126Event when Network protection fires in Block-mode
reductionWindows Defender (Operational)5007Event when settings are changed
reductionWindows Defender (Operational)1122Event when rule fires in Audit-mode
reductionWindows Defender (Operational)1121Event when rule fires in Block-mode
  • You could run the queries by using Microsoft 365 Security or Microsoft Defender for Endpoint.
TanTran_1-1620219230681.png

I hope the information is useful, see you next time.

Reference:

 

This article was originally published by Microsoft’s System Center Blog. You can find the original article here.