Windows Advanced Threat Protection (ATP)
A collection of notes on Windows ATP deployments.
Identifying ATP
One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
Process
MsSense.exe
Service
Display Name:
Windows Defender Advanced Threat Protection Service
Name:
Sense
Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
Identifying Attack Surface Reduction (ASR) Rules
A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
Rule name
GUID
File & folder exclusions
Minimum OS supported
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Supported
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Supported
3B576869-A4EC-4529-8536-B80A7769E899
Supported
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Supported
D3E037E1-3EB8-44C8-A917-57927947596D
Not supported
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Supported
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Supported
01443614-cd74-433a-b99e-2ecdc07bfc25
Supported
c1db55ab-c21a-4637-bb3f-a12568109d35
Supported
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Supported
d1e49aac-8f56-4280-b9ba-993a6d77406c
Supported
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Supported
26190899-1602-49e8-8b27-eb1d0a1ce869
Supported
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Supported
e6db77e5-3df2-4cf1-b95a-636979351e5b
Not supported
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.
Registry Path
Registry String Value
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
ASRRules
The contents of that String value may look like so:
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
0 = Off
1 = Block
2 = Audit
Last updated
Was this helpful?