Home
Microsoft

Conducting a thorough forensic investigation of compromised machines is integral to incident response. However, it can be a challenging task because it requires the device to be in the corporate network and for additional software to be deployed, or for SecOps to have physical access to the device. 

 

In the modern workplace, employees often work beyond the corporate network boundary, at their homes or while traveling, where the risk for compromise is potentially higher. If, for example, an executive connects her laptop to a hotel wi-fi and is compromised, SecOps may be forced to wait until the executive is back in the office, leaving her high-value laptop exposed. 

 

That changes today, with the public preview of live response capabilities in Microsoft Defender ATP. Live response gives SecOps instantaneous access to a compromised machine regardless of location  using a remote shell and gather any required forensic information.

This powerful feature allows you to: 

  1. Gather snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict (clean, malicious, or suspicious)
  2. Download malware files for reverse-engineering
  3. Create a tenant-level library of forensic tools like PowerShell scripts and third-party binaries that allow SecOps to gather forensic information like MFT table, firewall logs, event logs, process memory dumps, and others
  4. Run remediation activities such as quarantine file, stop process, remove registry, remove scheduled task, others 

A few examples:

liveresponse-simple-commands.gifRun basic commandsliveresponse-run-scripts.gifRun PowerShell scriptsliveresponse-remediation.gifRun remediation commands

We know you’ll ask: This feature is very powerful; can I grant the access for senior SOC members? 

Of course. There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.  

 

Furthermore, all live response commands are audited and recorded into the Action center, where remediation actions can be undone, if applicable (for example, remove a file from quarantine). 

 

To learn more, try the live response DIY or read the documentation.

 

 

Microsoft Defender ATP team