WDAC Recommended Block List
MDE WDAC Block List
Query
let wdacblock = (externaldata(lolbin: string)
[@"https://raw.githubusercontent.com/alexverboon/Hunting-Queries-Detection-Rules/main/ExternalData/wdacblockrules.txt"]
with (format="txt", ignoreFirstRecord=true));
DeviceProcessEvents
| where FileName in (wdacblock) or InitiatingProcessFileName in (wdacblock)About this query
WDAC Recommended Block List
Query Information
Description
Use the below query to identify processes that are on Microsoft's recommended WDAC block list
References
Microsoft 365 Defender
Identify processes that are on the WDAC recommended block list
Another approach shared by Kim Oppalfens let wdacblock = (externaldata(lolbin: string) [@"https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md"] with (format="txt", ignoreFirstRecord=true)); wdacblock | where lolbin has '<Deny ID="ID_DENY_' | extend lolbinxml = parse_xml(lolbin)
Explanation
This query is used to identify processes that are on Microsoft's recommended WDAC (Windows Defender Application Control) block list. It retrieves a list of processes from an external data source and then filters the DeviceProcessEvents table to find processes whose FileName or InitiatingProcessFileName match the processes in the block list.
Details

Alex Verboon
Released: June 4, 2023
Tables
Keywords
Operators