Home  >  APT3  >  Results  >  Microsoft  >  Configuration

Microsoft Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE comments are included in italics.

Product Versions

Workstations: Windows Defender ATP for Windows 10 (1803)

Servers: Windows Defender ATP for Server 2016 and Azure ATP version 2.44


Windows Defender Advanced Threat Protection (WDATP) is a unified pre and post breach endpoint security service for protection, detection, automated investigation and response. The service includes Attack Surface Reduction controls (integrating and expanding EMET capabilities into Windows), next generation cloud anti-virus (usually referenced as EDR component), kernel level event monitoring and behavioral detection for endpoint detection and response (usually referenced as EDR component), automated investigation and response capabilities, advanced hunting based on rich raw-data, threat intelligence reports and security posture reporting.

WDATP sensors and controls are agentless and integrated into Windows 10 and Windows Server 2019, with agents available for Windows 7, 8.1, Server 2016 and 2012R2. Non-windows platforms are supported via back-end integration with partners, providing visibility into Android, iOS, macOS and Linux endpoints.

WDATP EDR capabilities include rich visibility into process, file and registry operations as well as network activity. In-memory malware and kernel-level activity are visible on Windows 10 and Server 2019 endpoints via unique OS telemetry generated by the memory manager and the kernel itself. Additional telemetry is gathered from a wide-ranging pool of OS internal events and signal, providing visibility into the activity of common binaries, services and interfaces (such as WMI, Powershell, LSASS, SmartScreen). Rich visibility into scripting engines and macro-based attacks (such as Powershell, VBScript, Jscript and Office macros) is provided by integration of the Antimalware Scan Interface (AMSI) with various scripting engines, allowing WDATP to see through obfuscation and dynamic code generation and block/detect attacks based on scripts.

    EDR detections in the cloud consume near real-time telemetry from endpoints, and analyzes it using multiple methods in parallel. These methods include:
  • Heuristic rules developed by security experts and behavioral models
  • Kill-chain analysis and entity tainting detections
  • Machine-learning models and anomaly-detection based detectors
  • Threat intelligence library based on indicators of adversaries and campaigns

Windows Defender ATP can be combined and expanded with other Microsoft cloud-based products such as Office 365 ATP (protection against malicious attachments and URLs), Azure ATP (detection of compromised accounts and insider threats) and Azure Security Center (protection for hybrid cloud workloads). Signals and detections across the entire Microsoft ATP stack are shared to allow greater detection and visibility in the kill-chain and ensure broader coverage. A SOC analyst operating with the combined ATP stack, can navigate in the context of an investigation across all the products and correlate aspects of an attack jumping from endpoint events to entry-vector email to compromised user accounts.

In the current test, Microsoft team leveraged the combined signals of WDATP (EDR-only) and AATP to maximize detections. Azure ATP enables security teams to monitor users with learning-based analytics, protect identities and credentials stored in Active Directory, identify and investigate suspicious user activities.


Windows Defender ATP Status for the test Reason
Next-gen antivirus Disabled disabled on demand due to detection oriented test (allow Redteam tools/binaries to run)
Attack Surface Reduction (ASR) controls Audit-only (no block) configured a set of ASR Rules [1]in audit mode.
Exploit protection Audit-only (no block) configured a set of Exploit protection mitigations [2] in audit mode for certain processes.
Windows Defender Credential Guard Disabled disabled on demand due to detection oriented test (allow credential dump to succeed)
Application control Disabled disabled on demand due to detection oriented test (allow credential dump to succeed)