Identifying ATP

One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.

• Process

  • MsSense.exe

• Service

  • Display Name: Windows Defender Advanced Threat Protection Service

  • Name: Sense

• Registry

  • HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

• File Paths

  • C:\Program Files\Windows Defender Advanced Threat Protection\

C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s

PS C:\> Get-Service Sense

C:\> sc query sense

C:\> tasklist | findstr /i mssense.exe

Identifying Attack Surface Reduction (ASR) Rules

A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:

As an operator we can check the existence of these rules to further understand the targets deployment of ASR.

The contents of that String value may look like so:

01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2

It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:

• 0 = Off

• 1 = Block

• 2 = Audit

For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is set to 2 which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.