# Identification ## ATP To detect if Windows ATP is running on the machine: **Process** `MsSense.exe` **Service** ``` PS C:\> Get-Service Sense ​C:\> sc query sense ``` Display Name: `Windows Defender Advanced Threat Protection Service` Name: `Sense` **Registry** `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` **File Paths** `C:\Program Files\Windows Defender Advanced Threat Protection\` ASR Rules are stored here: ``` HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ ``` | Rule name | GUID | File & folder exclusions | Minimum OS supported | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | | ​[Block executable content from email client and webmail](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail)​ | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block all Office applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes)​ | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office applications from creating executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content)​ | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office applications from injecting code into other processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes)​ | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content)​ | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts)​ | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Win32 API calls from Office macros](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros)​ | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)​ | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Use advanced protection against ransomware](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware)​ | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem)​ | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)​ | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb)​ | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Office communication application from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes)​ | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block Adobe Reader from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes)​ | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | ​[Windows 10, version 1709](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | | ​[Block persistence through WMI event subscription](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription)​ | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | ​[Windows 10, version 1903](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | To check if certain rules are enabled or not: * 0 = Off * 1 = Block * 2 = Audit ## ATA Check for ATA admins: ``` Get-CimInstance -ClassName Win32_Group -Filter "Domain = 'dev' AND Name='Microsoft Advanced Threat Analytics Administrator'" | Get-CimAssociatedInstance -Association Win32_GroupUser ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/ata-atp/identifying.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.