ricardojba · August 12, 2024 16:19
diff --git a/atp-fw-block.ps1 b/atp-fw-block.ps1
 # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server
 # https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
 # https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx
 $MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net", "automatedirstrffusgv.blob.core.usgovcloudapi.net", "automatedirstrfmusmt.blob.core.usgovcloudapi.net", "automatedirstrfmusmv.blob.core.usgovcloudapi.net", "automatedirstrprdcus", "automatedirstrprdcus.blob.core.windows.net", "automatedirstrprdcus3.blob.core.windows.net", "automatedirstrprdeus.blob.core.windows.net", "automatedirstrprdeus3.blob.core.windows.net", "automatedirstrprdneu.blob.core.windows.net", "automatedirstrprdneu3.blob.core.windows.net", "automatedirstrprduks.blob.core.windows.net", "automatedirstrprdukw.blob.core.windows.net", "automatedirstrprdweu.blob.core.windows.net", "automatedirstrprdweu3.blob.core.windows.net", "blob.core.usgovcloudapi.net", "blob.core.windows.net ", "blob.core.windows.net", "cdn.x.cp.wd.microsoft.com", "checkappexec.microsoft.com", "cloudsink.net", "crl.microsoft.com", "ctldl.windowsupdate.com", "definitionupdates.microsoft.com", "delivery.mp.microsoft.com", "dm.microsoft.com", "download.microsoft.com", "download.windowsupdate.com", "endpoint.security.microsoft.com", "enterpriseregistration.windows.net", "eu-v20.events.data.microsoft.com", "eu.vortex-win.data.microsoft.com", "europe.x.cp.wd.microsoft.com", "events.data.microsoft.com", "fe3cr.delivery.mp.microsoft.com", "go.microsoft.com", "login.live.com", "login.microsoftonline.com", "login.windows.net", "microsoftonline-p.com", "msdl.microsoft.com", "ods.opinsights.azure.com", "ods.opinsights.azure.us", "officecdn-microsoft-com.akamaized.net", "oms.opinsights.azure.com", "oms.opinsights.azure.us", "onboardingpackagescusprd.blob.core.windows.net", "packages.microsoft.com", "psapp.microsoft.com", "psappeu.microsoft.com", "secure.aadcdn.microsoftonline-p.com", "security.microsoft.com", "securitycenter.windows.com", "settings-win.data.microsoft.com", "smartscreen-prod.microsoft.com", "smartscreen.microsoft.com", "static2.sharepointonline.com", "uk-v20.events.data.microsoft.com", "uk.vortex-win.data.microsoft.com", "unitedkingdom.x.cp.wd.microsoft.com", "unitedstates.x.cp.wd.microsoft.com", "unitedstates1.cp.wd.microsoft.us", "unitedstates1.ss.wd.microsoft.us", "unitedstates1.x.cp.wd.microsoft.us", "unitedstates2.cp.wd.microsoft.us", "unitedstates2.ss.wd.microsoft.us", "unitedstates2.x.cp.wd.microsoft.us", "unitedstates4.cp.wd.microsoft.us", "unitedstates4.ss.wd.microsoft.us", "unitedstates4.x.cp.wd.microsoft.us", "update.microsoft.com", "urs.microsoft.com", "us-v20.events.data.microsoft.com", "us.vortex-win.data.microsoft.com", "us4-v20.events.data.microsoft.com", "usseu1northprod.blob.core.windows.net", "usseu1westprod.blob.core.windows.net", "ussuk1southprod.blob.core.windows.net", "ussuk1westprod.blob.core.windows.net", "ussus1eastprod.blob.core.windows.net", "ussus1westprod.blob.core.windows.net", "ussus2eastprod.blob.core.windows.net", "ussus2westprod.blob.core.windows.net", "ussus3eastprod.blob.core.windows.net", "ussus3westprod.blob.core.windows.net", "ussus4eastprod.blob.core.windows.net", "ussus4westprod.blob.core.windows.net", "ussusd1centralff5.blob.core.usgovcloudapi.net", "ussusd1eastff5.blob.core.usgovcloudapi.net", "ussusd2centralff5.blob.core.usgovcloudapi.net", "ussusd2eastff5.blob.core.usgovcloudapi.net", "ussusg1texasff0.blob.core.usgovcloudapi.net", "ussusg1texasff4.blob.core.usgovcloudapi.net", "ussusg1virginiaff0.blob.core.usgovcloudapi.net", "ussusg1virginiaff4.blob.core.usgovcloudapi.net", "ussusg2texasff0.blob.core.usgovcloudapi.net", "ussusg2texasff4.blob.core.usgovcloudapi.net", "ussusg2virginiaff0.blob.core.usgovcloudapi.net", "ussusg2virginiaff4.blob.core.usgovcloudapi.net", "vortex-win.data.microsoft.com", "wd.microsoft.com", "wdcp.microsoft.com", "wdcpalt.microsoft.com", "winatp-gw-cus", "winatp-gw-cus.microsoft.com", "winatp-gw-cus3.microsoft.com", "winatp-gw-eus.microsoft.com", "winatp-gw-eus3.microsoft.com", "winatp-gw-neu.microsoft.com", "winatp-gw-neu3.microsoft.com", "winatp-gw-uks.microsoft.com", "winatp-gw-ukw.microsoft.com", "winatp-gw-usgt.microsoft.com", "winatp-gw-usgv.microsoft.com", "winatp-gw-usmt.microsoft.com", "winatp-gw-usmv.microsoft.com", "winatp-gw-weu.microsoft.com", "winatp-gw-weu3.microsoft.com", "windowsupdate.com", "wns.windows.com", "wseu1northprod.blob.core.windows.net", "wseu1westprod.blob.core.windows.net", "wsuk1southprod.blob.core.windows.net", "wsuk1westprod.blob.core.windows.net", "wsus1eastprod.blob.core.windows.net", "wsus1westprod.blob.core.windows.net", "wsus2eastprod.blob.core.windows.net", "wsus2westprod.blob.core.windows.net", "wsusd1centralff5.blob.core.usgovcloudapi.net", "wsusd1eastff5.blob.core.usgovcloudapi.net", "wsusg1texasff0.blob.core.usgovcloudapi.net", "wsusg1texasff4.blob.core.usgovcloudapi.net", "wsusg1virginiaff0.blob.core.usgovcloudapi.net", "wsusg1virginiaff4.blob.core.usgovcloudapi.net", "www.microsoft.com", "x.cp.wd.microsoft.com"
 [CmdletBinding()]
 $processnames = Get-process | Select-Object ProcessName
 Foreach ($ps in $processnames) {
 if ($ps.ProcessName -like "*MsSense*") {
  Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.")
  $MSATPCloudIPs = ($MSATPURLs | Foreach {[System.Net.Dns]::GetHostAddresses($_) | Select-Object -ExpandProperty IPAddressToString | Foreach-Object {
   New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_"
   Write-Host "$_ - Outbound Firewall Block Was Added: $?"
   }})
  }
 }
 New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
 New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
 New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block
	# https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server
	# https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
	# https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx
	$MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net", "automatedirstrffusgv.blob.core.usgovcloudapi.net", "automatedirstrfmusmt.blob.core.usgovcloudapi.net", "automatedirstrfmusmv.blob.core.usgovcloudapi.net", "automatedirstrprdcus", "automatedirstrprdcus.blob.core.windows.net", "automatedirstrprdcus3.blob.core.windows.net", "automatedirstrprdeus.blob.core.windows.net", "automatedirstrprdeus3.blob.core.windows.net", "automatedirstrprdneu.blob.core.windows.net", "automatedirstrprdneu3.blob.core.windows.net", "automatedirstrprduks.blob.core.windows.net", "automatedirstrprdukw.blob.core.windows.net", "automatedirstrprdweu.blob.core.windows.net", "automatedirstrprdweu3.blob.core.windows.net", "blob.core.usgovcloudapi.net", "blob.core.windows.net ", "blob.core.windows.net", "cdn.x.cp.wd.microsoft.com", "checkappexec.microsoft.com", "cloudsink.net", "crl.microsoft.com", "ctldl.windowsupdate.com", "definitionupdates.microsoft.com", "delivery.mp.microsoft.com", "dm.microsoft.com", "download.microsoft.com", "download.windowsupdate.com", "endpoint.security.microsoft.com", "enterpriseregistration.windows.net", "eu-v20.events.data.microsoft.com", "eu.vortex-win.data.microsoft.com", "europe.x.cp.wd.microsoft.com", "events.data.microsoft.com", "fe3cr.delivery.mp.microsoft.com", "go.microsoft.com", "login.live.com", "login.microsoftonline.com", "login.windows.net", "microsoftonline-p.com", "msdl.microsoft.com", "ods.opinsights.azure.com", "ods.opinsights.azure.us", "officecdn-microsoft-com.akamaized.net", "oms.opinsights.azure.com", "oms.opinsights.azure.us", "onboardingpackagescusprd.blob.core.windows.net", "packages.microsoft.com", "psapp.microsoft.com", "psappeu.microsoft.com", "secure.aadcdn.microsoftonline-p.com", "security.microsoft.com", "securitycenter.windows.com", "settings-win.data.microsoft.com", "smartscreen-prod.microsoft.com", "smartscreen.microsoft.com", "static2.sharepointonline.com", "uk-v20.events.data.microsoft.com", "uk.vortex-win.data.microsoft.com", "unitedkingdom.x.cp.wd.microsoft.com", "unitedstates.x.cp.wd.microsoft.com", "unitedstates1.cp.wd.microsoft.us", "unitedstates1.ss.wd.microsoft.us", "unitedstates1.x.cp.wd.microsoft.us", "unitedstates2.cp.wd.microsoft.us", "unitedstates2.ss.wd.microsoft.us", "unitedstates2.x.cp.wd.microsoft.us", "unitedstates4.cp.wd.microsoft.us", "unitedstates4.ss.wd.microsoft.us", "unitedstates4.x.cp.wd.microsoft.us", "update.microsoft.com", "urs.microsoft.com", "us-v20.events.data.microsoft.com", "us.vortex-win.data.microsoft.com", "us4-v20.events.data.microsoft.com", "usseu1northprod.blob.core.windows.net", "usseu1westprod.blob.core.windows.net", "ussuk1southprod.blob.core.windows.net", "ussuk1westprod.blob.core.windows.net", "ussus1eastprod.blob.core.windows.net", "ussus1westprod.blob.core.windows.net", "ussus2eastprod.blob.core.windows.net", "ussus2westprod.blob.core.windows.net", "ussus3eastprod.blob.core.windows.net", "ussus3westprod.blob.core.windows.net", "ussus4eastprod.blob.core.windows.net", "ussus4westprod.blob.core.windows.net", "ussusd1centralff5.blob.core.usgovcloudapi.net", "ussusd1eastff5.blob.core.usgovcloudapi.net", "ussusd2centralff5.blob.core.usgovcloudapi.net", "ussusd2eastff5.blob.core.usgovcloudapi.net", "ussusg1texasff0.blob.core.usgovcloudapi.net", "ussusg1texasff4.blob.core.usgovcloudapi.net", "ussusg1virginiaff0.blob.core.usgovcloudapi.net", "ussusg1virginiaff4.blob.core.usgovcloudapi.net", "ussusg2texasff0.blob.core.usgovcloudapi.net", "ussusg2texasff4.blob.core.usgovcloudapi.net", "ussusg2virginiaff0.blob.core.usgovcloudapi.net", "ussusg2virginiaff4.blob.core.usgovcloudapi.net", "vortex-win.data.microsoft.com", "wd.microsoft.com", "wdcp.microsoft.com", "wdcpalt.microsoft.com", "winatp-gw-cus", "winatp-gw-cus.microsoft.com", "winatp-gw-cus3.microsoft.com", "winatp-gw-eus.microsoft.com", "winatp-gw-eus3.microsoft.com", "winatp-gw-neu.microsoft.com", "winatp-gw-neu3.microsoft.com", "winatp-gw-uks.microsoft.com", "winatp-gw-ukw.microsoft.com", "winatp-gw-usgt.microsoft.com", "winatp-gw-usgv.microsoft.com", "winatp-gw-usmt.microsoft.com", "winatp-gw-usmv.microsoft.com", "winatp-gw-weu.microsoft.com", "winatp-gw-weu3.microsoft.com", "windowsupdate.com", "wns.windows.com", "wseu1northprod.blob.core.windows.net", "wseu1westprod.blob.core.windows.net", "wsuk1southprod.blob.core.windows.net", "wsuk1westprod.blob.core.windows.net", "wsus1eastprod.blob.core.windows.net", "wsus1westprod.blob.core.windows.net", "wsus2eastprod.blob.core.windows.net", "wsus2westprod.blob.core.windows.net", "wsusd1centralff5.blob.core.usgovcloudapi.net", "wsusd1eastff5.blob.core.usgovcloudapi.net", "wsusg1texasff0.blob.core.usgovcloudapi.net", "wsusg1texasff4.blob.core.usgovcloudapi.net", "wsusg1virginiaff0.blob.core.usgovcloudapi.net", "wsusg1virginiaff4.blob.core.usgovcloudapi.net", "www.microsoft.com", "x.cp.wd.microsoft.com"
	[CmdletBinding()]
	$processnames = Get-process \| Select-Object ProcessName
	Foreach ($ps in $processnames) {
	if ($ps.ProcessName -like "MsSense") {
	Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.")
	$MSATPCloudIPs = ($MSATPURLs \| Foreach {[System.Net.Dns]::GetHostAddresses($_) \| Select-Object -ExpandProperty IPAddressToString \| Foreach-Object {
	New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_"
	Write-Host "$_ - Outbound Firewall Block Was Added: $?"
	}})
	}
	}
	New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
	New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
	New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block