Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page
  • Identifying ATP
  • Identifying Attack Surface Reduction (ASR) Rules

Was this helpful?

  1. AV / EDR

Windows Advanced Threat Protection (ATP)

A collection of notes on Windows ATP deployments.

Identifying ATP

One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.

  • Process

    • MsSense.exe

  • Service

    • Display Name: Windows Defender Advanced Threat Protection Service

    • Name: Sense

  • Registry

    • HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

  • File Paths

    • C:\Program Files\Windows Defender Advanced Threat Protection\

C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s
PS C:\> Get-Service Sense

C:\> sc query sense
C:\> tasklist | findstr /i mssense.exe

Identifying Attack Surface Reduction (ASR) Rules

A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:

Rule name

GUID

File & folder exclusions

Minimum OS supported

BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Supported

D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Supported

3B576869-A4EC-4529-8536-B80A7769E899

Supported

75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

Supported

D3E037E1-3EB8-44C8-A917-57927947596D

Not supported

5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

Supported

92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Supported

01443614-cd74-433a-b99e-2ecdc07bfc25

Supported

c1db55ab-c21a-4637-bb3f-a12568109d35

Supported

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Supported

d1e49aac-8f56-4280-b9ba-993a6d77406c

Supported

b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Supported

26190899-1602-49e8-8b27-eb1d0a1ce869

Supported

7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Supported

e6db77e5-3df2-4cf1-b95a-636979351e5b

Not supported

As an operator we can check the existence of these rules to further understand the targets deployment of ASR.

Registry Path

Registry String Value

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\

ASRRules

The contents of that String value may look like so:

01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2

It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:

  • 0 = Off

  • 1 = Block

  • 2 = Audit

PreviousWindows DefenderNextCreateRemoteThread()

Last updated 4 years ago

Was this helpful?

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(RS3, build 16299) or greater

(build 18362) or greater

For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is set to 2 which means that policy: "" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.

Block Win32 API calls from Office macros
Block executable content from email client and webmail
Windows 10, version 1709
Block all Office applications from creating child processes
Windows 10, version 1709
Block Office applications from creating executable content
Windows 10, version 1709
Block Office applications from injecting code into other processes
Windows 10, version 1709
Block JavaScript or VBScript from launching downloaded executable content
Windows 10, version 1709
Block execution of potentially obfuscated scripts
Windows 10, version 1709
Block Win32 API calls from Office macros
Windows 10, version 1709
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Windows 10, version 1709
Use advanced protection against ransomware
Windows 10, version 1709
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Windows 10, version 1709
Block process creations originating from PSExec and WMI commands
Windows 10, version 1709
Block untrusted and unsigned processes that run from USB
Windows 10, version 1709
Block Office communication application from creating child processes
Windows 10, version 1709
Block Adobe Reader from creating child processes
Windows 10, version 1709
Block persistence through WMI event subscription
Windows 10, version 1903
LogoUse attack surface reduction rules to prevent malware infectiondocsmsft