WINDOWS 10 CONTROLLED FOLDER ACCESS EVENT SEARCH

Published May 05 2021 05:54 AM 4,516 Views
Microsoft

WDCFA.gif

 

Dear IT Pros,

Ransomware acts with accessing to the files, folders and encrypting  them, to respond against it, we need to enable the Windows Defender feature named “Controlled Folder Access” – WDCFA and monitor the Windows Defender Guard Events in Windows Event Viewer. The best way is possibly collecting the related activities by Advanced Hunting features of Microsoft 365 Security or Defender for Endpoint.

Could we search for Event ID by running the advanced hunting query or not?

We will discuss the above topic today.

 

To View or change the list of protected folders

You can use the Windows Security app to view the list of folders that are protected by controlled folder access.

  1. On your Windows 10 device, open the Windows Security app.
  2. Select Virus & threat protection.
  3. Under Ransomware protection, select Manage ransomware protection.TanTran_0-1620219914755.png

     

  4. If controlled folder access is turned off, you'll need to turn it on. Select protected folders.
  5. Do one of the following steps:
    • To add a folder, select + Add a protected folder.
    • To remove a folder, select it, and then select Remove.

 Note

Windows system folders are protected by default, and you cannot remove them from the list.

 

To Enable Controlled Folder Access by powershell command:

> Set-MpPreference -EnableControlledFolderAccess EnabledTanTran_0-1620222298712.png

 

  • If you want to add a file or folder to be protected:

Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\abcUser\OneDrive - Microsoft"

TanTran_1-1620222298718.png

  • To remove a protected folder:

         > Remove-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\abcUser\OneDrive - Microsoft"

TanTran_2-1620222298734.png

  • If you want to add a specific app that you trust to access your files and folders, type this command:

          > Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"

 

  • If you want to remove a specific app, type this command and indicate its location at the end: 

          > Remove-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"

 

Review controlled folder access events in Windows Event Viewer

The following table shows events related to controlled folder access:

Event ID

Description

5007

Event when settings are changed

1124

Audited controlled folder access event

1123

Blocked controlled folder access event

You can review the Windows event log and look for events which were created when controlled folder access of Windows Defender had blocked (or reported in audit mode) an app 's activity of accessing to the related folders, steps to follow:

  1. Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.

 Content of cfa-events.xml is shown in the following lines:

TanTran_0-1620215105355.png

 

  1. Type Event viewer in the Start menu to open the Windows Event Viewer.
  2. On the left panel, under Actions, select Import custom view....
  3. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy the XML directly.
  4. Select OK.

TanTran_1-1620215105376.png

 

Review controlled folder access events in the Microsoft 365 Security.

M365 Security portal, advanced hunting provides detailed information of Windows Defender events as part of its alert investigation scenarios.

You can query Microsoft 365 Security data by using Advanced hunting. For Controlled Folder Access, if you are enable it audit mode, you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.

To query Controlled Folder Access Events by Powershell, :

 

 

 

 

DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

 

 

 

 

Advanced Hunting for Controlled Folder Access Events:

 

Query Table

   

WDAC- Windows Defender Application Control

DeviceEvents

| where Timestamp > ago(7d) and ActionType startswith "AppControl"

| summarize Machines=dcount(DeviceName) by ActionType

| order by Machines desc

Monthly report on Vulnerability

DeviceTvmSoftwareInventoryVulnerabilities 

| project  DeviceName, SoftwareName, CveId, SoftwareVersion, VulnerabilitySeverityLevel

| join (DeviceTvmSoftwareVulnerabilitiesKB

| project AffectedSoftware, VulnerabilityDescription , CveId , CvssScore , IsExploitAvailable

           )

                on CveId

| project CveId , SoftwareName , SoftwareVersion , VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable , CvssScore

| distinct SoftwareName , SoftwareVersion, CveId, VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable 

| sort by SoftwareName asc , SoftwareVersion

WD-ASR Event

DeviceEvents

| where ActionType == "AsrOfficeChildProcessAudited" and Timestamp > minTime

| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName, Timestamp

WD-CFA Controlled Folder Access Event

DeviceEvents

| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

 

 

  • We could not query by Event ID.

Until today, the built-in Defender for Endpoint sensor does not allow raw ETW access using Advanced Hunting nor forwards them.

  • In Event Viewer, using XML to filter events related to Windows 10 Defender Guard,

the Event IDs are listed in the following Event Table:

 

Feature

Provider/source

Event ID

Description

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

1

ACG audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

2

ACG enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

3

Do not allow child processes audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

4

Do not allow child processes block

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

5

Block low integrity images audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

6

Block low integrity images block

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

7

Block remote images audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

8

Block remote images block

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

9

Disable win32k system calls audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

10

Disable win32k system calls block

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

11

Code integrity guard audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

12

Code integrity guard block

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

13

EAF audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

14

EAF enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

15

EAF+ audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

16

EAF+ enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

17

IAF audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

18

IAF enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

19

ROP StackPivot audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

20

ROP StackPivot enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

21

ROP CallerCheck audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

22

ROP CallerCheck enforce

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

23

ROP SimExec audit

Exploit protection

Security-Mitigations (Kernel Mode/User Mode)

24

ROP SimExec enforce

Exploit protection

WER-Diagnostics

5

CFG Block

Exploit protection

Win32K (Operational)

260

Untrusted Font

Network protection

Windows Defender (Operational)

5007

Event when settings are changed

Network protection

Windows Defender (Operational)

1125

Event when Network protection fires in Audit-mode

Network protection

Windows Defender (Operational)

1126

Event when Network protection fires in Block-mode

Attack surface reduction

Windows Defender (Operational)

5007

Event when settings are changed

Attack surface reduction

Windows Defender (Operational)

1122

Event when rule fires in Audit-mode

Attack surface reduction

Windows Defender (Operational)

1121

Event when rule fires in Block-mode

  • You could run the queries by using Microsoft 365 Security or Microsoft Defender for Endpoint.

TanTran_1-1620219230681.png

 

 

I hope the information is useful, see you next time.

Reference:

Co-Authors
Version history
Last update:
‎May 05 2021 10:53 AM
Updated by: