Windows Advanced Threat Protection (ATP)

A collection of notes on Windows ATP deployments.

Identifying ATP
One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
Process
MsSense.exe
Service
Display Name: Windows Defender Advanced Threat Protection Service
Name: Sense
Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
Registry
Service
Processes
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s
PS C:\> Get-Service Sense
​
C:\> sc query sense
C:\> tasklist | findstr /i mssense.exe
Identifying Attack Surface Reduction (ASR) Rules
A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
Rule name
GUID
File & folder exclusions
Minimum OS supported
​Block executable content from email client and webmail​
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block all Office applications from creating child processes​
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office applications from creating executable content​
3B576869-A4EC-4529-8536-B80A7769E899
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office applications from injecting code into other processes​
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block JavaScript or VBScript from launching downloaded executable content​
D3E037E1-3EB8-44C8-A917-57927947596D
Not supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block execution of potentially obfuscated scripts​
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Win32 API calls from Office macros​
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block executable files from running unless they meet a prevalence, age, or trusted list criterion​
01443614-cd74-433a-b99e-2ecdc07bfc25
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Use advanced protection against ransomware​
c1db55ab-c21a-4637-bb3f-a12568109d35
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block credential stealing from the Windows local security authority subsystem (lsass.exe)​
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block process creations originating from PSExec and WMI commands​
d1e49aac-8f56-4280-b9ba-993a6d77406c
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block untrusted and unsigned processes that run from USB​
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office communication application from creating child processes​
26190899-1602-49e8-8b27-eb1d0a1ce869
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Adobe Reader from creating child processes​
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Supported
​Windows 10, version 1709 (RS3, build 16299) or greater
​Block persistence through WMI event subscription​
e6db77e5-3df2-4cf1-b95a-636979351e5b
Not supported
​Windows 10, version 1903 (build 18362) or greater
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.   
Registry Path
Registry String Value
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
ASRRules
The contents of that String value may look like so:
01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
0 = Off
1 = Block
2 = Audit
For example in this configuration above, the GUID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b is set to 2 which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.
​
Use attack surface reduction rules to prevent malware infection
docsmsft

Windows Defender

Next - Remote Process Injection

CreateRemoteThread()

Last modified 2yr ago

Rule name	GUID	File & folder exclusions	Minimum OS supported
Block executable content from email client and webmail	`BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block all Office applications from creating child processes	`D4F940AB-401B-4EFC-AADC-AD5F3C50688A`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from creating executable content	`3B576869-A4EC-4529-8536-B80A7769E899`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from injecting code into other processes	`75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block JavaScript or VBScript from launching downloaded executable content	`D3E037E1-3EB8-44C8-A917-57927947596D`	Not supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block execution of potentially obfuscated scripts	`5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Win32 API calls from Office macros	`92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	`01443614-cd74-433a-b99e-2ecdc07bfc25`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Use advanced protection against ransomware	`c1db55ab-c21a-4637-bb3f-a12568109d35`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block process creations originating from PSExec and WMI commands	`d1e49aac-8f56-4280-b9ba-993a6d77406c`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block untrusted and unsigned processes that run from USB	`b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office communication application from creating child processes	`26190899-1602-49e8-8b27-eb1d0a1ce869`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Adobe Reader from creating child processes	`7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block persistence through WMI event subscription	`e6db77e5-3df2-4cf1-b95a-636979351e5b`	Not supported	Windows 10, version 1903 (build 18362) or greater

Registry Path	Registry String Value
`HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\`	`ASRRules`