Comment on page
Windows Advanced Threat Protection (ATP)
A collection of notes on Windows ATP deployments.
One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
- Display Name:
Windows Defender Advanced Threat Protection Service
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s
PS C:\> Get-Service Sense
C:\> sc query sense
C:\> tasklist | findstr /i mssense.exe
A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.
The contents of that String value may look like so:
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
- 0 = Off
- 1 = Block
- 2 = Audit
For example in this configuration above, the GUID
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7bis set to
2which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.