ricardojba/atp-fw-block.ps1

## atp-fw-block.ps1
# https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server
# https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
# https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx
$MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net","automatedirstrffusgv.blob.core.usgovcloudapi.net","automatedirstrfmusmt.blob.core.usgovcloudapi.net","automatedirstrfmusmv.blob.core.usgovcloudapi.net","automatedirstrprdcus.blob.core.windows.net","automatedirstrprdcus3.blob.core.windows.net","automatedirstrprdeus.blob.core.windows.net","automatedirstrprdeus3.blob.core.windows.net","automatedirstrprdneu.blob.core.windows.net","automatedirstrprdneu3.blob.core.windows.net","automatedirstrprduks.blob.core.windows.net","automatedirstrprdukw.blob.core.windows.net","automatedirstrprdweu.blob.core.windows.net","automatedirstrprdweu3.blob.core.windows.net","blob.core.usgovcloudapi.net","blob.core.windows.net","blob.core.windows.net ","cdn.x.cp.wd.microsoft.com","checkappexec.microsoft.com","crl.microsoft.com","ctldl.windowsupdate.com","definitionupdates.microsoft.com","delivery.mp.microsoft.com","dm.microsoft.com","download.microsoft.com","download.windowsupdate.com","enterpriseregistration.windows.net","eu-v20.events.data.microsoft.com","eu.vortex-win.data.microsoft.com","europe.x.cp.wd.microsoft.com","events.data.microsoft.com","fe3cr.delivery.mp.microsoft.com","go.microsoft.com","login.live.com","login.microsoftonline.com","login.windows.net","microsoftonline-p.com","msdl.microsoft.com","ods.opinsights.azure.com","ods.opinsights.azure.us","officecdn-microsoft-com.akamaized.net","oms.opinsights.azure.com","oms.opinsights.azure.us","onboardingpackagescusprd.blob.core.windows.net","packages.microsoft.com","psapp.microsoft.com","psappeu.microsoft.com","secure.aadcdn.microsoftonline-p.com","security.microsoft.com","securitycenter.windows.com","settings-win.data.microsoft.com","smartscreen-prod.microsoft.com","smartscreen.microsoft.com","static2.sharepointonline.com","uk-v20.events.data.microsoft.com","uk.vortex-win.data.microsoft.com","unitedkingdom.x.cp.wd.microsoft.com","unitedstates.x.cp.wd.microsoft.com","unitedstates1.cp.wd.microsoft.us","unitedstates1.ss.wd.microsoft.us","unitedstates1.x.cp.wd.microsoft.us","unitedstates2.cp.wd.microsoft.us","unitedstates2.ss.wd.microsoft.us","unitedstates2.x.cp.wd.microsoft.us","unitedstates4.cp.wd.microsoft.us","unitedstates4.ss.wd.microsoft.us","unitedstates4.x.cp.wd.microsoft.us","update.microsoft.com","urs.microsoft.com","us-v20.events.data.microsoft.com","us.vortex-win.data.microsoft.com","us4-v20.events.data.microsoft.com","usseu1northprod.blob.core.windows.net","usseu1westprod.blob.core.windows.net","ussuk1southprod.blob.core.windows.net","ussuk1westprod.blob.core.windows.net","ussus1eastprod.blob.core.windows.net","ussus1westprod.blob.core.windows.net","ussus2eastprod.blob.core.windows.net","ussus2westprod.blob.core.windows.net","ussus3eastprod.blob.core.windows.net","ussus3westprod.blob.core.windows.net","ussus4eastprod.blob.core.windows.net","ussus4westprod.blob.core.windows.net","ussusd1centralff5.blob.core.usgovcloudapi.net","ussusd1eastff5.blob.core.usgovcloudapi.net","ussusd2centralff5.blob.core.usgovcloudapi.net","ussusd2eastff5.blob.core.usgovcloudapi.net","ussusg1texasff0.blob.core.usgovcloudapi.net","ussusg1texasff4.blob.core.usgovcloudapi.net","ussusg1virginiaff0.blob.core.usgovcloudapi.net","ussusg1virginiaff4.blob.core.usgovcloudapi.net","ussusg2texasff0.blob.core.usgovcloudapi.net","ussusg2texasff4.blob.core.usgovcloudapi.net","ussusg2virginiaff0.blob.core.usgovcloudapi.net","ussusg2virginiaff4.blob.core.usgovcloudapi.net","vortex-win.data.microsoft.com","wd.microsoft.com","wdcp.microsoft.com","winatp-gw-cus.microsoft.com","winatp-gw-cus3.microsoft.com","winatp-gw-eus.microsoft.com","winatp-gw-eus3.microsoft.com","winatp-gw-neu.microsoft.com","winatp-gw-neu3.microsoft.com","winatp-gw-uks.microsoft.com","winatp-gw-ukw.microsoft.com","winatp-gw-usgt.microsoft.com","winatp-gw-usgv.microsoft.com","winatp-gw-usmt.microsoft.com","winatp-gw-usmv.microsoft.com","winatp-gw-weu.microsoft.com","winatp-gw-weu3.microsoft.com","windowsupdate.com","wns.windows.com","wseu1northprod.blob.core.windows.net","wseu1westprod.blob.core.windows.net","wsuk1southprod.blob.core.windows.net","wsuk1westprod.blob.core.windows.net","wsus1eastprod.blob.core.windows.net","wsus1westprod.blob.core.windows.net","wsus2eastprod.blob.core.windows.net","wsus2westprod.blob.core.windows.net","wsusd1centralff5.blob.core.usgovcloudapi.net","wsusd1eastff5.blob.core.usgovcloudapi.net","wsusg1texasff0.blob.core.usgovcloudapi.net","wsusg1texasff4.blob.core.usgovcloudapi.net","wsusg1virginiaff0.blob.core.usgovcloudapi.net","wsusg1virginiaff4.blob.core.usgovcloudapi.net","www.microsoft.com","x.cp.wd.microsoft.com"
[CmdletBinding()]
$processnames = Get-process | Select-Object ProcessName
Foreach ($ps in $processnames) {
 if ($ps.ProcessName -like "*MsSense*") {
  Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.")
  $MSATPCloudIPs = ($MSATPURLs | Foreach {[System.Net.Dns]::GetHostAddresses($_) | Select-Object -ExpandProperty IPAddressToString | Foreach-Object {
   New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_"
   Write-Host "$_ - Outbound Firewall Block Was Added: $?"
   }})
  }
}
	# https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server
	# https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx
	# https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx
	$MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net","automatedirstrffusgv.blob.core.usgovcloudapi.net","automatedirstrfmusmt.blob.core.usgovcloudapi.net","automatedirstrfmusmv.blob.core.usgovcloudapi.net","automatedirstrprdcus.blob.core.windows.net","automatedirstrprdcus3.blob.core.windows.net","automatedirstrprdeus.blob.core.windows.net","automatedirstrprdeus3.blob.core.windows.net","automatedirstrprdneu.blob.core.windows.net","automatedirstrprdneu3.blob.core.windows.net","automatedirstrprduks.blob.core.windows.net","automatedirstrprdukw.blob.core.windows.net","automatedirstrprdweu.blob.core.windows.net","automatedirstrprdweu3.blob.core.windows.net","blob.core.usgovcloudapi.net","blob.core.windows.net","blob.core.windows.net ","cdn.x.cp.wd.microsoft.com","checkappexec.microsoft.com","crl.microsoft.com","ctldl.windowsupdate.com","definitionupdates.microsoft.com","delivery.mp.microsoft.com","dm.microsoft.com","download.microsoft.com","download.windowsupdate.com","enterpriseregistration.windows.net","eu-v20.events.data.microsoft.com","eu.vortex-win.data.microsoft.com","europe.x.cp.wd.microsoft.com","events.data.microsoft.com","fe3cr.delivery.mp.microsoft.com","go.microsoft.com","login.live.com","login.microsoftonline.com","login.windows.net","microsoftonline-p.com","msdl.microsoft.com","ods.opinsights.azure.com","ods.opinsights.azure.us","officecdn-microsoft-com.akamaized.net","oms.opinsights.azure.com","oms.opinsights.azure.us","onboardingpackagescusprd.blob.core.windows.net","packages.microsoft.com","psapp.microsoft.com","psappeu.microsoft.com","secure.aadcdn.microsoftonline-p.com","security.microsoft.com","securitycenter.windows.com","settings-win.data.microsoft.com","smartscreen-prod.microsoft.com","smartscreen.microsoft.com","static2.sharepointonline.com","uk-v20.events.data.microsoft.com","uk.vortex-win.data.microsoft.com","unitedkingdom.x.cp.wd.microsoft.com","unitedstates.x.cp.wd.microsoft.com","unitedstates1.cp.wd.microsoft.us","unitedstates1.ss.wd.microsoft.us","unitedstates1.x.cp.wd.microsoft.us","unitedstates2.cp.wd.microsoft.us","unitedstates2.ss.wd.microsoft.us","unitedstates2.x.cp.wd.microsoft.us","unitedstates4.cp.wd.microsoft.us","unitedstates4.ss.wd.microsoft.us","unitedstates4.x.cp.wd.microsoft.us","update.microsoft.com","urs.microsoft.com","us-v20.events.data.microsoft.com","us.vortex-win.data.microsoft.com","us4-v20.events.data.microsoft.com","usseu1northprod.blob.core.windows.net","usseu1westprod.blob.core.windows.net","ussuk1southprod.blob.core.windows.net","ussuk1westprod.blob.core.windows.net","ussus1eastprod.blob.core.windows.net","ussus1westprod.blob.core.windows.net","ussus2eastprod.blob.core.windows.net","ussus2westprod.blob.core.windows.net","ussus3eastprod.blob.core.windows.net","ussus3westprod.blob.core.windows.net","ussus4eastprod.blob.core.windows.net","ussus4westprod.blob.core.windows.net","ussusd1centralff5.blob.core.usgovcloudapi.net","ussusd1eastff5.blob.core.usgovcloudapi.net","ussusd2centralff5.blob.core.usgovcloudapi.net","ussusd2eastff5.blob.core.usgovcloudapi.net","ussusg1texasff0.blob.core.usgovcloudapi.net","ussusg1texasff4.blob.core.usgovcloudapi.net","ussusg1virginiaff0.blob.core.usgovcloudapi.net","ussusg1virginiaff4.blob.core.usgovcloudapi.net","ussusg2texasff0.blob.core.usgovcloudapi.net","ussusg2texasff4.blob.core.usgovcloudapi.net","ussusg2virginiaff0.blob.core.usgovcloudapi.net","ussusg2virginiaff4.blob.core.usgovcloudapi.net","vortex-win.data.microsoft.com","wd.microsoft.com","wdcp.microsoft.com","winatp-gw-cus.microsoft.com","winatp-gw-cus3.microsoft.com","winatp-gw-eus.microsoft.com","winatp-gw-eus3.microsoft.com","winatp-gw-neu.microsoft.com","winatp-gw-neu3.microsoft.com","winatp-gw-uks.microsoft.com","winatp-gw-ukw.microsoft.com","winatp-gw-usgt.microsoft.com","winatp-gw-usgv.microsoft.com","winatp-gw-usmt.microsoft.com","winatp-gw-usmv.microsoft.com","winatp-gw-weu.microsoft.com","winatp-gw-weu3.microsoft.com","windowsupdate.com","wns.windows.com","wseu1northprod.blob.core.windows.net","wseu1westprod.blob.core.windows.net","wsuk1southprod.blob.core.windows.net","wsuk1westprod.blob.core.windows.net","wsus1eastprod.blob.core.windows.net","wsus1westprod.blob.core.windows.net","wsus2eastprod.blob.core.windows.net","wsus2westprod.blob.core.windows.net","wsusd1centralff5.blob.core.usgovcloudapi.net","wsusd1eastff5.blob.core.usgovcloudapi.net","wsusg1texasff0.blob.core.usgovcloudapi.net","wsusg1texasff4.blob.core.usgovcloudapi.net","wsusg1virginiaff0.blob.core.usgovcloudapi.net","wsusg1virginiaff4.blob.core.usgovcloudapi.net","www.microsoft.com","x.cp.wd.microsoft.com"
	[CmdletBinding()]
	$processnames = Get-process \| Select-Object ProcessName
	Foreach ($ps in $processnames) {
	if ($ps.ProcessName -like "MsSense") {
	Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.")
	$MSATPCloudIPs = ($MSATPURLs \| Foreach {[System.Net.Dns]::GetHostAddresses($_) \| Select-Object -ExpandProperty IPAddressToString \| Foreach-Object {
	New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_"
	Write-Host "$_ - Outbound Firewall Block Was Added: $?"
	}})
	}
	}