This article is contributed. See the original author and article here.

 

ezgif.com-gif-maker.gif

 

Dear IT Pros,  

would like to continue on Part 2 of the Windows Defender ATP Operation with tasks handled by ATP operators, ATP administrator. 

_________________________________________________

 

Creating Alert Notification 

Alert Notification settings are configured for the purpose of sending alert email message to Security Team and other teams. 

To setup Alert Notification: 

  • In ATP Portal, go to SettingsGeneralAlert notification 
  • Add Item     

1.png

 

  • Enter Rule name, eg: Sent High Severity Alert to Secops Team 
  • Choose options: include organization name, include tenant-specific portal link, include device information 
  • Choose alert severity: High, Medium, Low 
  • Next, 2.png
  • Enter Group’s email address
  • Send test email and Save

5.png

 

 

 Live Response to remote device

Live response gives you the remote access to target device by remote shell connectionIt enables security admin to run command, script and collect forensic data,  send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats on the remote device. 

To Enable Live Response for ATP devices: 

  • In ATP Portal, go to SettingsGeneralAdvanced features 
  • Turn on Live Response 
  • Turn on (optional) Live Response unsigned script execution 
  • Save Preferences 

3.png 

To Run Live Response Remote Access to Device: 

  1. Client Prerequisite:
    • Windows 10 version 1909 or later.  
    • For other Windows 10 versions:   Make sure to install appropriate updates (live response feature included in these updates). 

      Windows 10-1903:          KB4515384 

      Windows 10-1809 (RS5): KB4537818 

      Windows 10-1803 (RS4): KB4537795 

      Windows 10-1709 (RS3): KB4537816 

    •  The Target Machine is member of a Device Group with Semi or Full Remediation of Automation Level as shown  :

4.png

 

 For Dynamic Device Group, please refer to “ATP Daily Operation – Part 1″ for more detail.

 

 To Run the command or script in live response session. 

 In live response session, you could run one of the commands in the following table of commands:

 

Command 

Description 

cd 

Changes the current directory. 

cls 

Clears the console screen. 

connect 

Initiates a live response session to the device. 

connections 

Shows all the active connections. 

dir 

Shows a list of files and subdirectories in a directory. 

download <file_path> & 

Downloads a file in the background. 

drivers 

Shows all drivers installed on the device. 

fg <command ID> 

Returns a file download to the foreground. 

fileinfo 

Get information about a file. (10GB max size limit) 

findfile 

Locates files by a given name on the device. 

help 

Provides help information for live response commands. 

persistence 

Shows all known persistence methods on the device. 

processes 

Shows all processes running on the device. 

registry 

Shows registry values. 

scheduledtasks 

Shows all scheduled tasks on the device. 

services 

Shows all services on the device. 

trace 

Sets the terminal’s logging mode to debug. 

 

Advanced commands 

The following advanced commands are for the user roles that are granted the ability to run advanced live response commands such as ATP Administrator Role: 

 

ADVANCED COMMANDS 

Command 

Description 

analyze 

Analyses the entity with various incrimination engines to reach a verdict. 

getfile 

Gets a file from the device. (3GB max size limit) 
NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with getfile to automatically run the prerequisite command. 

run 

Runs a PowerShell script from the library on the device. 

library 

Lists files that were uploaded to the live response library. (250MB max size limit) 

putfile 

Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. 

remediate 

Remediates an entity on the device. The remediation action will vary depending on the entity type: 
– File: delete 
– Process: stop, delete image file 
– Service: stop, delete image file 
– Registry entry: delete 
– Scheduled task: remove 
– Startup folder item: delete file 
NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. 

undo 

Restores an entity that was remediated. 

 

To run Powershell Script in live response: 

The library stores files (such as scripts) that can be run in a live response session at the tenant level. PowerShell scripts must first be placed in the library before you can run them. 

 

   Upload the script file in the library and run script 

Click Upload file to library. TanTran_10-1601515615686.png

 

 

  • Click Browse and select the file. 
  • Provide a brief description. 
  • Specify if you’d like to overwrite a file with the same name. 
  • If you’d like to be known what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. 
  • Click Confirm. 
  • (Optional) To verify that the file was uploaded to the library, run the library command. 
  • Run the script with command: Run scriptname.ps1 

 6.png

 

 

 

Cancel a command 

Anytime during a session, you can cancel a command by pressing CTRL + C. 

Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal.  

Automatically run prerequisite commands 

Some commands have prerequisite commands to run parallelly. If you don’t run the prerequisite command, you would get an error. For example, running the download command without fileinfo will return an error. 

You can use the auto flag to automatically run prerequisite commands,: 

getfile c:UsersuserDesktopwork.txt -auto  

Apply command parameters 

When using commands that have prerequisite commands, you can use flags: 

<command name> -type file -id <file path> – auto 

Supported output types 

Live response supports table and JSON format output types. For each command, there’s a default output behavior. You can modify the output in your preferred output format using the following commands: 

  • -output json 
  • -output table 

 Note 

Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. 

View the command log 

Select the Command log tab to see the commands used on the device during a session. Each command is tracked with full detailsIDCommand lineDurationStatus and input or output side bar 

Examples: 

  • Analyze a file 

     analyze -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsKnownMalicious.exe –auto

 

TanTran_14-1601515615665.png

 

  • Analyze File in remote machine and Auto Download to local Workstation in the “Downloads” Folder: 

analyze -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsKnownMalicious.exe -auto > AnalyzedKnownMalicious.txt 

  • Remediating a file (delete file) 

C:>remediate -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe –auto 

or  

C:>remediate file C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe –auto 

 

  • To download file from the remote target device to your local workstation 

C:getfile “C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe” -auto 

or  

C:> download “C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe” -auto 

7.png

 

  • To list on connection of the remote target device 

C:> connections 

TanTran_17-1601515615690.png

 

  • To list the registry key and value of the remote target device 

C:> registry “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Defender” 

TanTran_18-1601515615694.png

 

  • Creating a test script, upload to Library and run script: 

Example: creating ATPTest.ps1 with the following content: 

Dir c:usersCMAdmin.Contoso.comdownloads > C:tempdowload_files.txt 

Upload script named “ATPTest.ps1” to Library and run the script 

TanTran_19-1601515615672.png

 

Download result of run content to your local workstation under “downloads” folder 

Download “C:Tempdownload_files.txt” -auto 

8.png

 

I hope the information is useful to your daily ATP operation monitoring. 

Cheer! 

 

 

References: 

Live Response Investigation: 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-response#:~:text=Microsoft%20Defender%20Advanced%20Threat%20Protection%20%28Microsoft%20Defender%20ATP%29,as%20a%20machine%29%20using%20a%20remote%20shell%20connection. 

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples 

Video about Live Response

https://www.bing.com/videos/search?q=microsoft+live+response+advanced+threat+protection+video&docid=608005478874219990&mid=593DC3A568771CBCEF01593DC3A568771CBCEF01&view=detail&FORM=VIRE

 

 

__________________________

Disclaimer 

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. 

 

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.