Event ID 1121 — Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Message #

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: %4
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Target Commandline: %12
 	Parent Commandline: %13
 	Involved File: %14
 	Inheritance Flags: %15
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—
`RuleType` UnicodeString	—
`TargetCommandline` UnicodeString	—
`ParentCommandline` UnicodeString	—
`InvolvedFile` UnicodeString	—
`InhertianceFlags` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

LSASS Access Detected via Attack Surface Reduction source high: Detects Access to LSASS Process
PSExec and WMI Process Creations Block source high: Detects blocking of process creations originating from PSExec and WMI commands

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1121 — Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Description

Message #

Fields #

Detection Rules #

Sigma # view in reference

Related Events #

References #