@_g0dmode Github Linkedin

Windows Advanced Threat Protection (ATP)

A collection of notes on Windows ATP deployments.

Identifying ATP

One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.

  • Process

    • MsSense.exe

  • Service

    • Display Name: Windows Defender Advanced Threat Protection Service

    • Name: Sense

  • Registry

    • HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

  • File Paths

    • C:\Program Files\Windows Defender Advanced Threat Protection\

C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s

Identifying Attack Surface Reduction (ASR) Rules

A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:

Rule name

GUID

File & folder exclusions

Minimum OS supported

Block executable content from email client and webmail

BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block all Office applications from creating child processes

D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block Office applications from creating executable content

3B576869-A4EC-4529-8536-B80A7769E899

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block Office applications from injecting code into other processes

75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block JavaScript or VBScript from launching downloaded executable content

D3E037E1-3EB8-44C8-A917-57927947596D

Not supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block execution of potentially obfuscated scripts

5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block Win32 API calls from Office macros

92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

01443614-cd74-433a-b99e-2ecdc07bfc25

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Use advanced protection against ransomware

c1db55ab-c21a-4637-bb3f-a12568109d35

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block process creations originating from PSExec and WMI commands

d1e49aac-8f56-4280-b9ba-993a6d77406c

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block untrusted and unsigned processes that run from USB

b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block Office communication application from creating child processes

26190899-1602-49e8-8b27-eb1d0a1ce869

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block Adobe Reader from creating child processes

7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Supported

Windows 10, version 1709 (RS3, build 16299) or greater

Block persistence through WMI event subscription

e6db77e5-3df2-4cf1-b95a-636979351e5b

Not supported

Windows 10, version 1903 (build 18362) or greater

As an operator we can check the existence of these rules to further understand the targets deployment of ASR.

Registry Path

Registry String Value

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\

ASRRules

The contents of that String value may look like so:

01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2

It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:

  • 0 = Off

  • 1 = Block

  • 2 = Audit

For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is set to 2 which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.

PreviousWindows DefenderNextCreateRemoteThread()

Last updated