Links
Comment on page

Windows Advanced Threat Protection (ATP)

A collection of notes on Windows ATP deployments.

Identifying ATP

One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
  • Process
    • MsSense.exe
  • Service
    • Display Name: Windows Defender Advanced Threat Protection Service
    • Name: Sense
  • Registry
    • HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • File Paths
    • C:\Program Files\Windows Defender Advanced Threat Protection\
Registry
Service
Processes
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s
PS C:\> Get-Service Sense
C:\> sc query sense
C:\> tasklist | findstr /i mssense.exe

Identifying Attack Surface Reduction (ASR) Rules

A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
Rule name
GUID
File & folder exclusions
Minimum OS supported
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
3B576869-A4EC-4529-8536-B80A7769E899
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
D3E037E1-3EB8-44C8-A917-57927947596D
Not supported
Windows 10, version 1709 (RS3, build 16299) or greater
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
01443614-cd74-433a-b99e-2ecdc07bfc25
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
c1db55ab-c21a-4637-bb3f-a12568109d35
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
d1e49aac-8f56-4280-b9ba-993a6d77406c
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
26190899-1602-49e8-8b27-eb1d0a1ce869
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
e6db77e5-3df2-4cf1-b95a-636979351e5b
Not supported
Windows 10, version 1903 (build 18362) or greater
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.
Registry Path
Registry String Value
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
ASRRules
The contents of that String value may look like so:
01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
  • 0 = Off
  • 1 = Block
  • 2 = Audit
For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is set to 2 which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.