Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Adds Live Response Capabilities to Defender ATP

In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.

In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.

Now available in public preview, the live response capabilities can provide instantaneous access to a compromised machine regardless of where it is located and enabling security teams to quickly gather forensic information.

“Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time,” Microsoft explains.

The feature includes support for gathering a snapshot of connections, drivers, scheduled tasks, and services, and for searching for specific files or requesting file analysis to reach a verdict (clean, malicious, or suspicious), and downloading malware files for reverse-engineering. 

Furthermore, it enables security teams to create a tenant-level library of forensic tools, such as PowerShell scripts and third-party binaries, to gather forensic information like MFT tables, firewall logs, event logs, process memory dumps, and more. 

Additionally, security operations teams can run remediation activities, including the quarantine of file, process termination, registry and scheduled task removal, and more. 

“There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.,” the Microsoft Defender ATP team notes in a blog post

All response commands are audited and recorded into the Action center, which also provides administrators with the possibility to reverse remediation actions, if applicable (for example, remove a file from quarantine). 

The new feature is available only for machines running Windows 10, version 18323 (also known as Windows 10 19H1) or later. To enable the live response capability, one should access the Advanced features settings page (only editable by users who manage security or global admin roles).

A list of supported commands, along with additional information on how to use the live response capability, can be found in this Microsoft article.

Related: Microsoft Introduces Security Configuration Framework

Related: Microsoft Launches Defender ATP Endpoint Security for macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...