(47) WDAC - Microsoft Recommended Block Rules

As part of the WDAC for implementing this within your environment: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

The following should be done:

1. Navigate to https://security.microsoft.com/v2/advanced-hunting

2. In the "new query" section, enter in the following:

The "FileName" can be found in the "Microsoft recommended block rules", if it does get updated, just update the additional ".exe".

DeviceProcessEvents | where FileName in ('addinprocess.exe', 'addinprocess32.exe', 'addinutil.exe', 'aspnet_compiler.exe', 'bash.exe', 'bginfo.exe1', 'cdb.exe', 'cscript.exe', 'csi.exe', 'dbghost.exe', 'dbgsvc.exe', 'dnx.exe', 'dotnet.exe', 'fsi.exe', 'fsiAnyCpu.exe', 'infdefaultinstall.exe', 'kd.exe', 'kill.exe', 'lxssmanager.dll', 'lxrun.exe', 'Microsoft.Build.dll', 'Microsoft.Build.Framework.dll', 'Microsoft.Workflow.Compiler.exe', 'msbuild.exe2', 'msbuild.dll', 'mshta.exe', 'ntkd.exe', 'ntsd.exe', 'powershellcustomhost.exe', 'rcsi.exe', 'runscripthelper.exe', 'texttransform.exe', 'visualuiaverifynative.exe', 'system.management.automation.dll', 'webclnt.dll', 'davsvc.dll', 'wfc.exe', 'windbg.exe', 'wmic.exe', 'wscript.exe', 'wsl.exe', 'wslconfig.exe', 'wslhost.exe')

3. Select "Run Query"

4. Which it will then provide the "Results"

5. To create this as a "Detection rule" after the query has been run and you see what it does.

6. Fill in the details listed. Ensure that your "Device Groups" has been setup in https://security.microsoft.com/preferences2/machine_groups

7. Once saved, your rule will look something like this.

8. It will then create alerts in Defender