Identification

ATP

To detect if Windows ATP is running on the machine:

Process

MsSense.exe

Service

PS C:\> Get-Service Sense
​C:\> sc query sense

Display Name: Windows Defender Advanced Threat Protection Service

Name: Sense

Registry

HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

File Paths

C:\Program Files\Windows Defender Advanced Threat Protection\

ASR Rules are stored here:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\

Rule name	GUID	File & folder exclusions	Minimum OS supported
​Block executable content from email client and webmail​	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block all Office applications from creating child processes​	D4F940AB-401B-4EFC-AADC-AD5F3C50688A	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office applications from creating executable content​	3B576869-A4EC-4529-8536-B80A7769E899	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office applications from injecting code into other processes​	75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block JavaScript or VBScript from launching downloaded executable content​	D3E037E1-3EB8-44C8-A917-57927947596D	Not supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block execution of potentially obfuscated scripts​	5BEB7EFE-FD9A-4556-801D-275E5FFC04CC	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Win32 API calls from Office macros​	92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block executable files from running unless they meet a prevalence, age, or trusted list criterion​	01443614-cd74-433a-b99e-2ecdc07bfc25	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Use advanced protection against ransomware​	c1db55ab-c21a-4637-bb3f-a12568109d35	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block credential stealing from the Windows local security authority subsystem (lsass.exe)​	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block process creations originating from PSExec and WMI commands​	d1e49aac-8f56-4280-b9ba-993a6d77406c	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block untrusted and unsigned processes that run from USB​	b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Office communication application from creating child processes​	26190899-1602-49e8-8b27-eb1d0a1ce869	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block Adobe Reader from creating child processes​	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c	Supported	​Windows 10, version 1709 (RS3, build 16299) or greater
​Block persistence through WMI event subscription​	e6db77e5-3df2-4cf1-b95a-636979351e5b	Not supported	​Windows 10, version 1903 (build 18362) or greater

To check if certain rules are enabled or not:

• 0 = Off

• 1 = Block

• 2 = Audit

ATA

Check for ATA admins:

Get-CimInstance -ClassName Win32_Group -Filter "Domain = 'dev' AND Name='Microsoft Advanced Threat Analytics Administrator'" | Get-CimAssociatedInstance -Association Win32_GroupUser