Microsoft Defender ATP – Live Response

Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings.

What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.”

In order to make use of the MDATP Live Response feature, the target machine must be running the latest version of Windows 10, which at the time of writing this blogpost is version 1903. Furthermore, if you haven’t done so yet, the feature must be enabled within the MDATP Portal.

When you have setup RBAC in MDATP (more on that here) Live response also has two permissions sets. Basic and Advanced which relates to the set of commands you’re allowed to use within the live response session, more on that later.

Now let’s head over to a machine that’s capable of running a Live Response session.

Select Initiate Live Response session and wait for the magic to happen. On a side note, depending on the circumstances you can also Isolate the machine first from the network by selecting Isolate machine, you will still be able to establish a live response session.

And provided all works as expected after a few seconds we have our live response session running.

Looks like a command prompt, but it’s not, The MDATP has its own shell where you can do the following:

  • Run basic and advanced commands to do investigative work
  • Download files such as malware samples and outcomes of PowerShell scripts
  • Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
  • Take or undo remediation actions

At present, the following command are available.

Command Description Basic/Advanced
analyze Analyzes the entity for threats and returns a verdict (malicious, clean, suspicious) Advanced
cd Changes the current folder Basic
cls Clears the console screen Basic
connect Establishes connection with the machine for the live response session Basic
connections Shows all active connections Basic
dir Shows the list of files and sub-folders in a folder Basic
drivers Shows all drivers installed on the machine Basic
fileinfo Shows information about a file Basic
findfile Locates files with a given name on the machine Basic
getfile Downloads a file from the machine Advanced
help Shows information about live response commands Basic
library Lists or takes action on files in the live response library library
persistence Shows all known persistence methods on the machine Basic
processes Shows all processes running on the machine Basic
putfile Uploads a file from the library to a temporary working folder on the machine Advanced
registry Shows information about specific keys or values in the registry Basic
remediate Remediates an entity on the machine. The remediation action taken will vary depending on the type of entity Advanced
run Runs a PowerShell script from the library on the machine Advanced
scheduledtasks Shows all scheduled tasks on the machine Basic
services Shows all the services on the machine Basic
trace Sets logging on this console to debug mode Basic
undo Restores an entity that was remediated Advanced

Just type help within the live response shell to get a list of all commands

And more detailed help for a specific command by typing HELP command-name

Some commands allow you to specify the output format for the results, i.e. json or table.

Tip: If you want to transfer the results to your Windows client, simply pipe the output and it will be directly downloaded in your browser.

As we can see the live response shell provides a number of useful built-in commands, but what if we want to do more? Here’s where the run command comes in, the run command allows you to run a PowerShell script from the library. We can either run plain PowerShell code or simply use the script to run a built-in or 3rd party command application. Note that when running a 3rd party executable it must also be uploaded to the library.

Now before we can run any PowerShell scripts, we first have to upload it to the Library then download it to the remote session and execute it. Open your favorite script editor (PowerShell ISE, Visual Code) and save the following to run-lrwhoami.ps1

Function Run-LRWhoami

{

<#

.Synopsis

Executes whoami witin an MDATP Live response session

.Description

Executes whoami witin an MDATP Live response session

Within an MDATP Live Response session run the following commands to download the content to the machine

putfile Run-LRWhoami.ps1

run the following command witin the live response session to execute the sript

run Run-LRWhoami

#>

whoami /ALL /FO TABLE

}

## Run it

Run-LRWhoami

Then select Upload file to library, choose file, provide a description and then Confirm adding the file to the library.

Wait for the notification as shown below.

Within the live response shell we can get a list of all available scripts that are currently stored in the library

Before we can execute the script we must first download it into the session.

Now that the file is downloaded, we can execute it.

As mentioned before, if the script depends on other content that’s not already on the device, it must be included in the library. Below an example.

Function Dump-LRNTFSInfo

{

<#

.Synopsis

Executes ntfsinfo64.exe witin an MDATP Live response session

.Description

Executes ntfsinfo64.exe witin an MDATP Live response session

ntfsinfo64.exe binaries can be downloaded from: https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo

ntfsinfo64.exe and dump-LRNTFSInfo must be stored in the MDATP Script Library and downloaded

to the remote machine

Within an MDATP Live Response session run the following commands to download the content to the machine

putfile ntfsinfo64.exe

putfile Dump-LRNTFSInfo.ps1

Then run the following command within the live response session to execute the sript

run Dump-LRNTFSInfo.ps1

#>

If (Test-Path $PSScriptRoot\ntfsinfo64.exe -PathType Leaf)

{

.\ntfsinfo64.exe /accepteula c:\

}

Else

{

Write-Warning “ntfsinfo64.exe not found in $PSScriptRoot. Run ‘putfile ntfsinfo64.exe'”

}

}

## Run it

Dump-LRNTFSInfo

When conducting an investigation, it’s critical that all actions are properly documented, MDATP helps you here, the command log provides a detailed overview of all the commands executed during the session.

Let’s assume we found something bad on a machine and want to stop it, here we can make use of the live response remediate command

First run fileinfo and the file we want to remediate

Then remediate and the file to remediate

When we take a look at the Defender Quarantine , we can see the entry as well.

Windows Events: Whenever I explore new things, I check what’s happening in the event logs, and yes live response activities can be found there as well.

If you have a need to monitor MDATP live response activities on your clients, take a look at the following Widows event log providers:

  • Microsoft-Windows-SenseIR
  • Microsoft-Windows-SENSE

Tip: Run the following PowerShell commands to get a list of all possible events:

(Get-WinEvent
-ListProvider
Microsoft-Windows-SENSE).Events |
Select-Object
ID, Description

(Get-WinEvent
-ListProvider
Microsoft-Windows-SenseIR).Events |
Select-Object
ID, Description

And last but not least, if you ever get an error as the one below, it means that the client is most likely running a automated investigation / remediation. In that case you’ll have to wait until that one is completed.

Error: There is already a running automated investigation: ’97’, cannot run a session with automated investigation in the same time

Well that’s it for today, as always, I hope you found this blog post useful, any feedback is always welcome

Cheers

Alex

Leave a Reply