# Identification ## ATP To detect if Windows ATP is running on the machine: **Process** `MsSense.exe` **Service** ``` PS C:\> Get-Service Sense ​C:\> sc query sense ``` Display Name: `Windows Defender Advanced Threat Protection Service` Name: `Sense` **Registry** `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` **File Paths** `C:\Program Files\Windows Defender Advanced Threat Protection\` ASR Rules are stored here: ``` HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ ``` | Rule name | GUID | File & folder exclusions | Minimum OS supported | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | | ​[Block executable content from email client and webmail](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail)​ | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block all Office applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes)​ | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office applications from creating executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content)​ | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office applications from injecting code into other processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes)​ | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content)​ | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts)​ | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Win32 API calls from Office macros](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros)​ | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)​ | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Use advanced protection against ransomware](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware)​ | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem)​ | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)​ | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb)​ | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office communication application from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes)​ | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Adobe Reader from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes)​ | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block persistence through WMI event subscription](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription)​ | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | ​[Windows 10, version 1903](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | To check if certain rules are enabled or not: * 0 = Off * 1 = Block * 2 = Audit ## ATA Check for ATA admins: ``` Get-CimInstance -ClassName Win32_Group -Filter "Domain = 'dev' AND Name='Microsoft Advanced Threat Analytics Administrator'" | Get-CimAssociatedInstance -Association Win32_GroupUser ```