Targets to Live-Response actions in Defender ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-790025%22%20slang%3D%22en-US%22%3ETargets%20to%20Live-Response%20actions%20in%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790025%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%20Today%20windows%20defender%20one%20of%20the%20best%20solution%20for%20protect%20endpoint.%20But%20I%20think%20we%20have%20not%20enough%20live-response%20targets%20in%20action%20center.%20From%20this%20link%20we%20can%20find%20all%20targets.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Frespond-machine-alerts%23collect-investigation-package-from-machines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Frespond-machine-alerts%23collect-investigation-package-from-machines%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20didn%E2%80%99t%20have%20enough%20yesterday%20additional%20targets.%26nbsp%3B%3CBR%20%2F%3EFor%20example%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FEricZimmerman%2FKapeFiles%2Ftree%2Fmaster%2FTargets%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FEricZimmerman%2FKapeFiles%2Ftree%2Fmaster%2FTargets%3C%2FA%3E%3CBR%20%2F%3EIt%20would%20also%20be%20very%20helpful%20to%20collect%20MFT%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856143%22%20slang%3D%22en-US%22%3ERe%3A%20Targets%20to%20Live-Response%20actions%20in%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F387944%22%20target%3D%22_blank%22%3E%40ir-qiwi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20there%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20aware%20of%20the%20newly%20released%20%22Live%20Response%22%20feature%20in%20MDATP%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Flive-response%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Flive-response%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EWith%20this%20feature%20you%20can%20perform%20a%20wide%20variety%20of%20forensic%20activities%20remotely%20on%20a%20machine%2C%20including%20running%20any%20PS%20script%20which%20allows%20you%20to%20extend%20to%20a%20lot%20of%20additional%20actions%2C%20including%20e.g.%20collecting%20the%20MFT.%20Hope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi! Today windows defender one of the best solution for protect endpoint. But I think we have not enough live-response targets in action center. From this link we can find all targets.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-m...

I didn’t have enough yesterday additional targets. 
For example https://github.com/EricZimmerman/KapeFiles/tree/master/Targets
It would also be very helpful to collect MFT

Thanks!

1 Reply
Highlighted

@ir-qiwi 

Hi there,

 

Are you aware of the newly released "Live Response" feature in MDATP? https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-resp...

With this feature you can perform a wide variety of forensic activities remotely on a machine, including running any PS script which allows you to extend to a lot of additional actions, including e.g. collecting the MFT. Hope this helps!