In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.
Now available in public preview, the live response capabilities can provide instantaneous access to a compromised machine regardless of where it is located and enabling security teams to quickly gather forensic information.
“Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time,” Microsoft explains.
The feature includes support for gathering a snapshot of connections, drivers, scheduled tasks, and services, and for searching for specific files or requesting file analysis to reach a verdict (clean, malicious, or suspicious), and downloading malware files for reverse-engineering.
Furthermore, it enables security teams to create a tenant-level library of forensic tools, such as PowerShell scripts and third-party binaries, to gather forensic information like MFT tables, firewall logs, event logs, process memory dumps, and more.
Additionally, security operations teams can run remediation activities, including the quarantine of file, process termination, registry and scheduled task removal, and more.
“There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.,” the Microsoft Defender ATP team notes in a blog post.
All response commands are audited and recorded into the Action center, which also provides administrators with the possibility to reverse remediation actions, if applicable (for example, remove a file from quarantine).
The new feature is available only for machines running Windows 10, version 18323 (also known as Windows 10 19H1) or later. To enable the live response capability, one should access the Advanced features settings page (only editable by users who manage security or global admin roles).
A list of supported commands, along with additional information on how to use the live response capability, can be found in this Microsoft article.
Related: Microsoft Introduces Security Configuration Framework
Related: Microsoft Launches Defender ATP Endpoint Security for macOS

More from Ionut Arghire
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
Latest News
- Burnout in Cybersecurity – Can it be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
