Conducting a thorough forensic investigation of compromised machines is integral toincident response.However, it can be a challenging task because it requires the device to be in the corporate network and for additional software to be deployed, or for SecOps to have physical access to the device.
In the modern workplace, employees often work beyond the corporate network boundary, at their homes or while traveling, where the risk for compromise is potentially higher. If, for example, an executive connects her laptop to a hotel wi-fi and is compromised, SecOps may be forced to wait until the executive is back in the office, leaving her high-value laptop exposed.
That changes today, with the public preview of live response capabilities in Microsoft Defender ATP. Live response gives SecOps instantaneous access to a compromised machine regardless of location using a remote shell and gather any required forensic information.
This powerful feature allows you to:
Gather snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict(clean, malicious, or suspicious)
Download malware files for reverse-engineering
Create a tenant-level library of forensic tools likePowerShell scripts and third-party binaries that allow SecOps to gather forensic information like MFT table, firewall logs, event logs, process memory dumps, and others
Run remediationactivities such as quarantine file, stop process, remove registry, remove scheduled task, others
A few examples:
Run basic commandsRun PowerShell scriptsRun remediation commands
We know you’ll ask: This feature is very powerful; can I grant the access for senior SOC members?
Of course. There are two rolesthatcan be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands likePowerShell scripts or binary tools, download files, etc.
Furthermore, all live response commands are audited and recorded into the Action center, where remediation actions can be undone, if applicable (for example,remove a file from quarantine).