ps -e | grep falcon-sensor
Check under /opt/microsoft if there is something about ATP:
ls /opt/microsoft
Check to see if mdatp user exists:
id "mdatp"
grep -rni --exclude-dir={proc,sys,dev,run} "password" </target/directory> 2>/dev/null
sudo lsof -nP -iTCP -sTCP:LISTEN
More advanced (reports full binary path, parameters, listening port, PID, and running user)
sudo lsof -nP -iTCP -sTCP:LISTEN -iUDP | awk 'NR>1 {print $2, $3, $9}' | sort -u | while read pid user port; do exe=$(readlink -f /proc/$pid/exe 2>/dev/null); cmdline=$(tr "\\0" " " < /proc/$pid/cmdline 2>/dev/null); echo "User $user | PID $pid | Port $port => $exe $cmdline"; done