Forum Discussion

Sankaperera's avatar
Sankaperera
Copper Contributor
Apr 04, 2024
Solved

How to generate a memory dump using Live response

Hi All,

 

I want to get a memory dump using defender live response. I am using DumpIT.exe file. 

When i execute Run DumpIT.exe i am getting below errors. Any idea would be greatly appreciated.

 

C:\> run DumpIt.exe
Transcript started, output file is C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.txt

 

 

Errors:
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:22 char:85
                                                                        ~
Missing closing ')' in expression.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:30 char:234

+                                                                 ~
Unexpected token ')' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:30 char:236

                                                               ~
Unexpected token '}' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:30 char:243

                                                                 ~
Unexpected token '}' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:30 char:249

                                                                ~
Unexpected token '}' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:30 char:256
                                                                ~
Unexpected token '}' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:31 char:258
                                                                 ~
Missing expression after unary operator ','.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:31 char:258
                                                              ~
Unexpected token '' in expression or statement.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:31 char:258
                                                                ~
Missing closing ')' in expression.
At C:\ProgramData\Microsoft\Windows Defender Advanced Threat 
Protection\Downloads\PSScript_{D27360F8-2165-4480-A8C2-A4F8C1DEA990}.ps1:35 char:54
                                                      ~
Missing closing ')' in expression.
Not all parse errors were reported.  Correct the reported errors and try again.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingEndParenthesisInExpression

  • DylanInfosec's avatar
    DylanInfosec
    Apr 07, 2024

    Hi Sankaperera,I highly recommend reading through the two articles linked on this GitHub page: Remote collection of Windows Forensic Artifacts using KAPE and MDE 

     

    Kape in MDE - GitHub 

    Be sure to read them thoroughly so as to understand how it all works. IIRC I had to modify a few bits (I'll check tomorrow). It works like a charm though. Build the collector, push the kape zip, send the collection command and profit!

     

    Keep in mind Live Response does have limitations you may hit if you're expecting to pull full memory images. See here: Live Response limitations 

    • Live response sessions are limited to 25 live response sessions at a time.

    • Live response session inactive timeout value is 30 minutes.

    • Individual live response commands have a time limit of 10 minutes, with the exception of getfile, findfile, and run, which have a limit of 30 minutes.

    • A user can initiate up to 10 concurrent sessions.

    • A device can only be in one session at a time.

    • The following file size limits apply:

      • getfile limit: 3 GB

      • fileinfo limit: 30 GB

      • library limit: 250 MB

     

    There's another project I've read about but have never personally used and therefore can't vouch for. Nevertheless, it looks promising. The project description reads: "A collection of powershell scripts that are designed to be ran from a Microsoft Defender for Endpoint Live Response terminal, utilizing open-source tools, such as Kape (Kroll Artifact Parser and Extractor), to forensically acquire and process necessary artifact used in compromise assessments. Additional scripts provide pre-processing automation …"

    SAP: MDE Forensic-Artifact-Automation 

     

    Happy hunting!

    - Dylan

7 Replies

Sort By
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Apr 04, 2024
    The "run" command in Live Response only executes PowerShell scripts. The errors here come up because it is trying to interpret the bytes of the file dumpit.exe as PowerShell.
    • Sankaperera's avatar
      Sankaperera
      Copper Contributor
      Apr 05, 2024
      Thanks for the response. Do you know any PS script to get a memory dump using live response?
      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        Apr 05, 2024
        I don't know of any, it is possible taking a full disk image is not possible within .NET libraries. I know there are ways to get memory dumps of specific processes. I would try running dumpit.exe from inside a powershell script

Resources