Windows Advanced Threat Protection (ATP)
A collection of notes on Windows ATP deployments.
Identifying ATP
One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
Process
MsSense.exe
Service
Display Name:
Windows Defender Advanced Threat Protection Service
Name:
Sense
Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
Identifying Attack Surface Reduction (ASR) Rules
A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
Rule name | GUID | File & folder exclusions | Minimum OS supported |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Not supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Supported | Windows 10, version 1709 (RS3, build 16299) or greater | |
| Not supported | Windows 10, version 1903 (build 18362) or greater |
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.
Registry Path | Registry String Value |
|
|
The contents of that String value may look like so:
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
0 = Off
1 = Block
2 = Audit
For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
is set to 2
which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.
Last updated