mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 14:23:38 +00:00
add live response
This commit is contained in:
jcaparas
GitHub
@ -0,0 +1,212 @@
|
||||
---
|
||||
title: Live response command examples
|
||||
description: Learn about common commands and see examples on how it's used
|
||||
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Live response command examples
|
||||
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
Learn about common commands used in live response and see examples on how they are typically used.
|
||||
|
||||
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
|
||||
|
||||
|
||||
## analyze
|
||||
|
||||
```
|
||||
# Analyze the file malware.txt
|
||||
analyze file c:\Users\user\Desktop\malware.txt
|
||||
```
|
||||
|
||||
```
|
||||
# Analyze the process by PID
|
||||
analyze process 1234
|
||||
```
|
||||
|
||||
## connections
|
||||
|
||||
```
|
||||
# List active connections in json format using parameter name
|
||||
connections -output json
|
||||
```
|
||||
|
||||
```
|
||||
# List active connections in json format without parameter name
|
||||
connections json
|
||||
```
|
||||
|
||||
## dir
|
||||
|
||||
```
|
||||
# List files and sub-folders in the current folder
|
||||
dir
|
||||
```
|
||||
|
||||
```
|
||||
# List files and sub-folders in a specific folder
|
||||
dir C:\Users\user\Desktop\
|
||||
```
|
||||
|
||||
```
|
||||
# List files and subfolders in the current folder in json format
|
||||
dir -output json
|
||||
```
|
||||
|
||||
## fileinfo
|
||||
|
||||
```
|
||||
# Display information about a file
|
||||
fileinfo C:\Windows\notepad.exe
|
||||
```
|
||||
|
||||
## findfile
|
||||
|
||||
```
|
||||
# Find file by name
|
||||
findfile test.txt
|
||||
```
|
||||
|
||||
## getfile
|
||||
|
||||
```
|
||||
# Download a file from a machine
|
||||
getfile c:\Users\user\Desktop\work.txt
|
||||
```
|
||||
|
||||
```
|
||||
# Download a file from a machine, automatically run prerequisite commands
|
||||
getfile c:\Users\user\Desktop\work.txt -auto
|
||||
```
|
||||
|
||||
## processes
|
||||
```
|
||||
# Show all processes
|
||||
processes
|
||||
```
|
||||
|
||||
```
|
||||
# Get process by pid
|
||||
processes 123
|
||||
```
|
||||
|
||||
```
|
||||
# Get process by pid with argument name
|
||||
processes -pid 123
|
||||
```
|
||||
|
||||
```
|
||||
# Get process by name
|
||||
processes -name notepad.exe
|
||||
```
|
||||
|
||||
## putfile
|
||||
|
||||
```
|
||||
# Upload file from library
|
||||
putfile get-process-by-name.ps1
|
||||
```
|
||||
|
||||
```
|
||||
# Upload file from library, overwrite file if it exists
|
||||
putfile get-process-by-name.ps1 -overwrite
|
||||
```
|
||||
|
||||
```
|
||||
# Upload file from library, keep it on the machine after a restart
|
||||
putfile get-process-by-name.ps1 -keep
|
||||
```
|
||||
|
||||
## registry
|
||||
|
||||
```
|
||||
# Show information about the values in a registry key
|
||||
registry HKEY_CURRENT_USER\Console
|
||||
```
|
||||
|
||||
```
|
||||
# Show information about a specific registry value
|
||||
registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
|
||||
```
|
||||
|
||||
|
||||
## remediate
|
||||
|
||||
```
|
||||
# Remediate file in specific path
|
||||
remediate file c:\Users\user\Desktop\malware.exe
|
||||
```
|
||||
|
||||
```
|
||||
# Remediate process with specific PID
|
||||
remediate process 7960
|
||||
```
|
||||
|
||||
```
|
||||
# See list of all remediated entities
|
||||
remediate list
|
||||
```
|
||||
|
||||
## run
|
||||
|
||||
```
|
||||
# Run PowerShell script from the library without arguments
|
||||
run script.ps1
|
||||
```
|
||||
|
||||
```
|
||||
# Run PowerShell script from the library with arguments
|
||||
run get-process-by-name.ps1 -parameters "-processName Registry"
|
||||
```
|
||||
|
||||
## scheduledtask
|
||||
|
||||
```
|
||||
# Get all scheduled tasks
|
||||
scheduledtasks
|
||||
```
|
||||
|
||||
```
|
||||
# Get specific scheduled task by location and name
|
||||
scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
|
||||
```
|
||||
|
||||
```
|
||||
# Get specific scheduled task by location and name with spacing
|
||||
scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
|
||||
```
|
||||
|
||||
|
||||
## undo
|
||||
|
||||
```
|
||||
# Restore remediated registry
|
||||
undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
|
||||
```
|
||||
|
||||
```
|
||||
# Restore remediated scheduledtask
|
||||
undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
|
||||
```
|
||||
|
||||
```
|
||||
# Restore remediated file
|
||||
undo file c:\Users\user\Desktop\malware.exe
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user