In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.
Now available in public preview, the live response capabilities can provide instantaneous access to a compromised machine regardless of where it is located and enabling security teams to quickly gather forensic information.
“Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time,” Microsoft explains.
The feature includes support for gathering a snapshot of connections, drivers, scheduled tasks, and services, and for searching for specific files or requesting file analysis to reach a verdict (clean, malicious, or suspicious), and downloading malware files for reverse-engineering.
Furthermore, it enables security teams to create a tenant-level library of forensic tools, such as PowerShell scripts and third-party binaries, to gather forensic information like MFT tables, firewall logs, event logs, process memory dumps, and more.
Additionally, security operations teams can run remediation activities, including the quarantine of file, process termination, registry and scheduled task removal, and more.
“There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.,” the Microsoft Defender ATP team notes in a blog post.
All response commands are audited and recorded into the Action center, which also provides administrators with the possibility to reverse remediation actions, if applicable (for example, remove a file from quarantine).
The new feature is available only for machines running Windows 10, version 18323 (also known as Windows 10 19H1) or later. To enable the live response capability, one should access the Advanced features settings page (only editable by users who manage security or global admin roles).
A list of supported commands, along with additional information on how to use the live response capability, can be found in this Microsoft article.