Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings.
What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.”
In order to make use of the MDATP Live Response feature, the target machine must be running the latest version of Windows 10, which at the time of writing this blogpost is version 1903. Furthermore, if you haven’t done so yet, the feature must be enabled within the MDATP Portal.
When you have setup RBAC in MDATP (more on that here) Live response also has two permissions sets. Basic and Advanced which relates to the set of commands you’re allowed to use within the live response session, more on that later.
Now let’s head over to a machine that’s capable of running a Live Response session.
Select Initiate Live Response session and wait for the magic to happen. On a side note, depending on the circumstances you can also Isolate the machine first from the network by selecting Isolate machine, you will still be able to establish a live response session.
And provided all works as expected after a few seconds we have our live response session running.
Looks like a command prompt, but it’s not, The MDATP has its own shell where you can do the following:
- Run basic and advanced commands to do investigative work
- Download files such as malware samples and outcomes of PowerShell scripts
- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
- Take or undo remediation actions
At present, the following command are available.
| Command | Description | Basic/Advanced |
| analyze | Analyzes the entity for threats and returns a verdict (malicious, clean, suspicious) | Advanced |
| cd | Changes the current folder | Basic |
| cls | Clears the console screen | Basic |
| connect | Establishes connection with the machine for the live response session | Basic |
| connections | Shows all active connections | Basic |
| dir | Shows the list of files and sub-folders in a folder | Basic |
| drivers | Shows all drivers installed on the machine | Basic |
| fileinfo | Shows information about a file | Basic |
| findfile | Locates files with a given name on the machine | Basic |
| getfile | Downloads a file from the machine | Advanced |
| help | Shows information about live response commands | Basic |
| library | Lists or takes action on files in the live response library | library |
| persistence | Shows all known persistence methods on the machine | Basic |
| processes | Shows all processes running on the machine | Basic |
| putfile | Uploads a file from the library to a temporary working folder on the machine | Advanced |
| registry | Shows information about specific keys or values in the registry | Basic |
| remediate | Remediates an entity on the machine. The remediation action taken will vary depending on the type of entity | Advanced |
| run | Runs a PowerShell script from the library on the machine | Advanced |
| scheduledtasks | Shows all scheduled tasks on the machine | Basic |
| services | Shows all the services on the machine | Basic |
| trace | Sets logging on this console to debug mode | Basic |
| undo | Restores an entity that was remediated | Advanced |
Just type help within the live response shell to get a list of all commands
And more detailed help for a specific command by typing HELP command-name
Some commands allow you to specify the output format for the results, i.e. json or table.
Tip: If you want to transfer the results to your Windows client, simply pipe the output and it will be directly downloaded in your browser.
As we can see the live response shell provides a number of useful built-in commands, but what if we want to do more? Here’s where the run command comes in, the run command allows you to run a PowerShell script from the library. We can either run plain PowerShell code or simply use the script to run a built-in or 3rd party command application. Note that when running a 3rd party executable it must also be uploaded to the library.
Now before we can run any PowerShell scripts, we first have to upload it to the Library then download it to the remote session and execute it. Open your favorite script editor (PowerShell ISE, Visual Code) and save the following to run-lrwhoami.ps1
| Function Run-LRWhoami
{ <# .Synopsis Executes whoami witin an MDATP Live response session .Description Executes whoami witin an MDATP Live response session Within an MDATP Live Response session run the following commands to download the content to the machine putfile Run-LRWhoami.ps1 run the following command witin the live response session to execute the sript run Run-LRWhoami #> whoami /ALL /FO TABLE } ## Run it Run-LRWhoami |
Then select Upload file to library, choose file, provide a description and then Confirm adding the file to the library.
Wait for the notification as shown below.
Within the live response shell we can get a list of all available scripts that are currently stored in the library
Before we can execute the script we must first download it into the session.
Now that the file is downloaded, we can execute it.
As mentioned before, if the script depends on other content that’s not already on the device, it must be included in the library. Below an example.
| Function Dump-LRNTFSInfo
{ <# .Synopsis Executes ntfsinfo64.exe witin an MDATP Live response session .Description Executes ntfsinfo64.exe witin an MDATP Live response session ntfsinfo64.exe binaries can be downloaded from: https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo ntfsinfo64.exe and dump-LRNTFSInfo must be stored in the MDATP Script Library and downloaded to the remote machine Within an MDATP Live Response session run the following commands to download the content to the machine putfile ntfsinfo64.exe putfile Dump-LRNTFSInfo.ps1 Then run the following command within the live response session to execute the sript run Dump-LRNTFSInfo.ps1 #> If (Test-Path $PSScriptRoot\ntfsinfo64.exe -PathType Leaf) { .\ntfsinfo64.exe /accepteula c:\ } Else { Write-Warning “ntfsinfo64.exe not found in $PSScriptRoot. Run ‘putfile ntfsinfo64.exe'” } } ## Run it Dump-LRNTFSInfo |
When conducting an investigation, it’s critical that all actions are properly documented, MDATP helps you here, the command log provides a detailed overview of all the commands executed during the session.
Let’s assume we found something bad on a machine and want to stop it, here we can make use of the live response remediate command
First run fileinfo and the file we want to remediate
Then remediate and the file to remediate
When we take a look at the Defender Quarantine , we can see the entry as well.
Windows Events: Whenever I explore new things, I check what’s happening in the event logs, and yes live response activities can be found there as well.
If you have a need to monitor MDATP live response activities on your clients, take a look at the following Widows event log providers:
- Microsoft-Windows-SenseIR
- Microsoft-Windows-SENSE
Tip: Run the following PowerShell commands to get a list of all possible events:
(Get-WinEvent
-ListProvider
Microsoft-Windows-SENSE).Events |
Select-Object
ID, Description
(Get-WinEvent
-ListProvider
Microsoft-Windows-SenseIR).Events |
Select-Object
ID, Description
And last but not least, if you ever get an error as the one below, it means that the client is most likely running a automated investigation / remediation. In that case you’ll have to wait until that one is completed.
Error: There is already a running automated investigation: ’97’, cannot run a session with automated investigation in the same time
Well that’s it for today, as always, I hope you found this blog post useful, any feedback is always welcome
Cheers
Alex
One Reply to “Microsoft Defender ATP – Live Response”