Live Response is a new feature in Microsoft Defender Advanced Threat Protection (ATP). Live Response gives you instantaneous access to a machine using a remote shell connection. The direct shell connection allows you to investigate and take immediate response actions in real time.
Per Microsoft – Live response allows running four types of commands:
- Run basic and advanced commands to do investigative work.
- Download files such as malware samples and outcomes of PowerShell scripts.
- Run remediation / undo remediation commands.
- Upload a PowerShell script or executable file to a library and run it on the machine from a
Lets now walk through enabling the new feature, connecting to a device to run basic commands for investigative work, and finish with discussing a forensic capture of the system memory.
Windows 10 version 18323 (also known as Windows 10 19H1) or later.
Must have Role Based Access Control enabled.
Enable Role Based Access Control (RBAC) in Defender ATP:
Login to Microsoft Defender ATP.
Select Settings > Roles > Turn on roles.
Once enabled add any users to the Microsoft Defender ATP administrator (default) group that will be using Live Response.
Enable Live Response:
While in Settings select Advanced features and turn On Live Response.
Note: you can also enable Live Response Unsigned Script Execution if you plan to run unsigned scripts. This feature can potentially expose you to threats.
Initiate a Live Response Session:
Select Machines List or search for Machine at the top of the Microsoft Defender Security Center.
Select your Machine and click Initiate Live Response Session.
This will open a console session.
Help will give the list of commands:
analyze – Analyzes the entity for threats and returns a verdict (malicious, clean, suspicious)
cd – Changes the current folder
cls – Clears the console screen
connect – Establishes connection with the machine for the live response session
connections – Shows all active connections
dir – Shows the list of files and sub-folders in a folder
drivers – Shows all drivers installed on the machine
fileinfo – Shows information about a file
findfile – Locates files with a given name on the machine
getfile – Downloads a file from the machine
help – Shows information about live response commands
library Lists or takes action on files in the live response library
persistence – Shows all known persistence methods on the machine
processes – Shows all processes running on the machine
putfile – Uploads a file from the library to a temporary working folder on the machine
registry – Shows information about specific keys or values in the registry
remediate – Remediates an entity on the machine. The remediation action taken will vary depending on the type of entity
run – Runs a PowerShell script from the library on the machine
scheduledtasks – Shows all scheduled tasks on the machine
services – Shows all the services on the machine
trace – Sets logging on this console to debug mode
undo – Restores an entity that was remediated
Run a Forensics Memory Dump Capture:
The new Live Response session also allows for running a forensics capture tool such as sysinternals or dumpit.
Example using Dumpit, download the Dumpit Application.
Extract the executable and then once in a Live Response session, click Upload file to library.
Run the command:
Next run the command:
Note: this will create a Raw Memory file and need a tool such as Volitility to analyze. You can utilize the Getfile command above.