Query Details
MDE WDAC Block List
Query
# WDAC Recommended Block List
## Query Information
### Description
Use the below query to identify processes that are on Microsoft's recommended WDAC block list
#### References
- [WDAC block list](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
### Microsoft 365 Defender
Identify processes that are on the WDAC recommended block list
```kql
let wdacblock = (externaldata(lolbin: string)
[@"https://raw.githubusercontent.com/alexverboon/Hunting-Queries-Detection-Rules/main/ExternalData/wdacblockrules.txt"]
with (format="txt", ignoreFirstRecord=true));
DeviceProcessEvents
| where FileName in (wdacblock) or InitiatingProcessFileName in (wdacblock)
```
Another approach shared by [Kim Oppalfens](https://twitter.com/TheWMIGuy)
let wdacblock = (externaldata(lolbin: string)
[@"https://raw.githubusercontent.com/MicrosoftDocs/windows-itpro-docs/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md"]
with (format="txt", ignoreFirstRecord=true));
wdacblock
| where lolbin has '<Deny ID="ID_DENY_'
| extend lolbinxml = parse_xml(lolbin)
Explanation
This query is used to identify processes that are on Microsoft's recommended WDAC (Windows Defender Application Control) block list. It retrieves a list of processes from an external data source and then filters the DeviceProcessEvents table to find processes whose FileName or InitiatingProcessFileName match the processes in the block list.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceProcessEventswdacblock
Keywords
Devices,Intune,User
Operators
letexternaldatawithformatignoreFirstRecordDeviceProcessEventswhereinorFileNameInitiatingProcessFileNameextendparse_xml