Windows Advanced Threat Protection (ATP)
A collection of notes on Windows ATP deployments.
One of the first things we want to do is actually detect if Windows ATP is running on the machine we are operating from. Below is a list of things we can check for.
- Process
MsSense.exe
- Service
- Display Name:
Windows Defender Advanced Threat Protection Service
- Name:
Sense
- Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
Registry
Service
Processes
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection /s
PS C:\> Get-Service Sense
C:\> sc query sense
C:\> tasklist | findstr /i mssense.exe
A really cool feature of ATP is the addition of Attack Surface Reduction Rules. These are a collection of 15 rules which can be seen on the Microsoft Website. In short these rules are as follows:
Rule name | GUID | File & folder exclusions | Minimum OS supported |
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported | ||
D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported | ||
3B576869-A4EC-4529-8536-B80A7769E899 | Supported | ||
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported | ||
D3E037E1-3EB8-44C8-A917-57927947596D | Not supported | ||
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported | ||
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported | ||
01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported | ||
c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported | ||
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported | ||
d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported | ||
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported | ||
26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported | ||
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported | ||
e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported |
As an operator we can check the existence of these rules to further understand the targets deployment of ASR.
Registry Path | Registry String Value |
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ | ASRRules |
The contents of that String value may look like so:
01443614-cd74-433a-b99e-2ecdc07bfc25=2|
3b576869-a4ec-4529-8536-b80a7769e899=1|
5beb7efe-fd9a-4556-801d-275e5ffc04cc=2|
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=2|
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=2|
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=2|
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=2|
c1db55ab-c21a-4637-bb3f-a12568109d35=1|
d3e037e1-3eb8-44c8-a917-57927947596d=1|
d4f940ab-401b-4efc-aadc-ad5f3c50688a=2
It is immediately obvious these GUID values correspond to the GUID values shown above in the ASR Rule table. The values are as follows:
- 0 = Off
- 1 = Block
- 2 = Audit
For example in this configuration above, the GUID
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
is set to 2
which means that policy: "Block Win32 API calls from Office macros" is set to "Audit". Alerts will be raised within the ATP console when an Office macro attempts to call a Win32API.
Last modified 2yr ago