Created
July 16, 2023 19:59
-
-
Save ricardojba/49bf6d439d5dba3346cc279198c7676b to your computer and use it in GitHub Desktop.
Block All Windows Defender/ATP Comms via FW (Privileged)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server | |
# https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx | |
# https://download.microsoft.com/download/6/a/0/6a041da5-c43b-4f17-8167-79dfdc10507f/mde-urls-gov.xlsx | |
$MSATPURLs = "automatedirstrffusgt.blob.core.usgovcloudapi.net","automatedirstrffusgv.blob.core.usgovcloudapi.net","automatedirstrfmusmt.blob.core.usgovcloudapi.net","automatedirstrfmusmv.blob.core.usgovcloudapi.net","automatedirstrprdcus.blob.core.windows.net","automatedirstrprdcus3.blob.core.windows.net","automatedirstrprdeus.blob.core.windows.net","automatedirstrprdeus3.blob.core.windows.net","automatedirstrprdneu.blob.core.windows.net","automatedirstrprdneu3.blob.core.windows.net","automatedirstrprduks.blob.core.windows.net","automatedirstrprdukw.blob.core.windows.net","automatedirstrprdweu.blob.core.windows.net","automatedirstrprdweu3.blob.core.windows.net","blob.core.usgovcloudapi.net","blob.core.windows.net","blob.core.windows.net ","cdn.x.cp.wd.microsoft.com","checkappexec.microsoft.com","crl.microsoft.com","ctldl.windowsupdate.com","definitionupdates.microsoft.com","delivery.mp.microsoft.com","dm.microsoft.com","download.microsoft.com","download.windowsupdate.com","enterpriseregistration.windows.net","eu-v20.events.data.microsoft.com","eu.vortex-win.data.microsoft.com","europe.x.cp.wd.microsoft.com","events.data.microsoft.com","fe3cr.delivery.mp.microsoft.com","go.microsoft.com","login.live.com","login.microsoftonline.com","login.windows.net","microsoftonline-p.com","msdl.microsoft.com","ods.opinsights.azure.com","ods.opinsights.azure.us","officecdn-microsoft-com.akamaized.net","oms.opinsights.azure.com","oms.opinsights.azure.us","onboardingpackagescusprd.blob.core.windows.net","packages.microsoft.com","psapp.microsoft.com","psappeu.microsoft.com","secure.aadcdn.microsoftonline-p.com","security.microsoft.com","securitycenter.windows.com","settings-win.data.microsoft.com","smartscreen-prod.microsoft.com","smartscreen.microsoft.com","static2.sharepointonline.com","uk-v20.events.data.microsoft.com","uk.vortex-win.data.microsoft.com","unitedkingdom.x.cp.wd.microsoft.com","unitedstates.x.cp.wd.microsoft.com","unitedstates1.cp.wd.microsoft.us","unitedstates1.ss.wd.microsoft.us","unitedstates1.x.cp.wd.microsoft.us","unitedstates2.cp.wd.microsoft.us","unitedstates2.ss.wd.microsoft.us","unitedstates2.x.cp.wd.microsoft.us","unitedstates4.cp.wd.microsoft.us","unitedstates4.ss.wd.microsoft.us","unitedstates4.x.cp.wd.microsoft.us","update.microsoft.com","urs.microsoft.com","us-v20.events.data.microsoft.com","us.vortex-win.data.microsoft.com","us4-v20.events.data.microsoft.com","usseu1northprod.blob.core.windows.net","usseu1westprod.blob.core.windows.net","ussuk1southprod.blob.core.windows.net","ussuk1westprod.blob.core.windows.net","ussus1eastprod.blob.core.windows.net","ussus1westprod.blob.core.windows.net","ussus2eastprod.blob.core.windows.net","ussus2westprod.blob.core.windows.net","ussus3eastprod.blob.core.windows.net","ussus3westprod.blob.core.windows.net","ussus4eastprod.blob.core.windows.net","ussus4westprod.blob.core.windows.net","ussusd1centralff5.blob.core.usgovcloudapi.net","ussusd1eastff5.blob.core.usgovcloudapi.net","ussusd2centralff5.blob.core.usgovcloudapi.net","ussusd2eastff5.blob.core.usgovcloudapi.net","ussusg1texasff0.blob.core.usgovcloudapi.net","ussusg1texasff4.blob.core.usgovcloudapi.net","ussusg1virginiaff0.blob.core.usgovcloudapi.net","ussusg1virginiaff4.blob.core.usgovcloudapi.net","ussusg2texasff0.blob.core.usgovcloudapi.net","ussusg2texasff4.blob.core.usgovcloudapi.net","ussusg2virginiaff0.blob.core.usgovcloudapi.net","ussusg2virginiaff4.blob.core.usgovcloudapi.net","vortex-win.data.microsoft.com","wd.microsoft.com","wdcp.microsoft.com","winatp-gw-cus.microsoft.com","winatp-gw-cus3.microsoft.com","winatp-gw-eus.microsoft.com","winatp-gw-eus3.microsoft.com","winatp-gw-neu.microsoft.com","winatp-gw-neu3.microsoft.com","winatp-gw-uks.microsoft.com","winatp-gw-ukw.microsoft.com","winatp-gw-usgt.microsoft.com","winatp-gw-usgv.microsoft.com","winatp-gw-usmt.microsoft.com","winatp-gw-usmv.microsoft.com","winatp-gw-weu.microsoft.com","winatp-gw-weu3.microsoft.com","windowsupdate.com","wns.windows.com","wseu1northprod.blob.core.windows.net","wseu1westprod.blob.core.windows.net","wsuk1southprod.blob.core.windows.net","wsuk1westprod.blob.core.windows.net","wsus1eastprod.blob.core.windows.net","wsus1westprod.blob.core.windows.net","wsus2eastprod.blob.core.windows.net","wsus2westprod.blob.core.windows.net","wsusd1centralff5.blob.core.usgovcloudapi.net","wsusd1eastff5.blob.core.usgovcloudapi.net","wsusg1texasff0.blob.core.usgovcloudapi.net","wsusg1texasff4.blob.core.usgovcloudapi.net","wsusg1virginiaff0.blob.core.usgovcloudapi.net","wsusg1virginiaff4.blob.core.usgovcloudapi.net","www.microsoft.com","x.cp.wd.microsoft.com" | |
[CmdletBinding()] | |
$processnames = Get-process | Select-Object ProcessName | |
Foreach ($ps in $processnames) { | |
if ($ps.ProcessName -like "*MsSense*") { | |
Write-Output ("[*] Defender ATP process " + $ps.ProcessName + " is running. Resolving ATP FQDN IP's and blocking them.") | |
$MSATPCloudIPs = ($MSATPURLs | Foreach {[System.Net.Dns]::GetHostAddresses($_) | Select-Object -ExpandProperty IPAddressToString | Foreach-Object { | |
New-NetFirewallRule -DisplayName "Block Microsoft Defender ATP" -Enabled True -Action Block -LocalPort Any -Protocol TCP -Direction Outbound -RemoteAddress "$_" | |
Write-Host "$_ - Outbound Firewall Block Was Added: $?" | |
}}) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment