deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/microsoftdocs/windows-docs-pr

Browse Source
This commit is contained in:
Liza Poggemeyer 2019-05-17 10:39:17 -07:00
commit 51bd9875ff
8 changed files with 497 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deployment/windows-autopilot/windows-autopilot-reset.md
View File

@ -28,7 +28,7 @@ The Windows Autopilot Reset process automatically retains information from the e
- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated.
- Azure Active Directory device membership and MDM enrollment information.
Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. This requires configuring the device to use the [enrollment status page](enrollment-status.md).
Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.
>[!IMPORTANT]
>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.

2
windows/security/threat-protection/TOC.md
View File

@ -67,6 +67,8 @@
####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
###### [Investigate entities using Live response](microsoft-defender-atp/live-response.md)
#######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)

5
windows/security/threat-protection/microsoft-defender-atp/TOC.md
View File

@ -70,7 +70,10 @@
###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response](live-response.md)
###### [Live response command examples](live-response-command-examples.md)
### [Automated investigation and remediation](automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md)

9
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -31,6 +31,15 @@ Use the following advanced features to get better protected from potentially mal
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
## Live response
When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
For more information on role assignments see, [Create and manage roles](user-roles.md).
## Live response unsigned script execution
Enabling this feature allows you to run unsigned scripts in a live response session.
## Auto-resolve remediated alerts
For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.

212
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md Normal file
View File

@ -0,0 +1,212 @@
---
title: Live response command examples
description: Learn about common commands and see examples on how it's used
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Live response command examples
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Learn about common commands used in live response and see examples on how they are typically used.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
## analyze
```
# Analyze the file malware.txt
analyze file c:\Users\user\Desktop\malware.txt
```
```
# Analyze the process by PID
analyze process 1234
```
## connections
```
# List active connections in json format using parameter name
connections -output json
```
```
# List active connections in json format without parameter name
connections json
```
## dir
```
# List files and sub-folders in the current folder
dir
```
```
# List files and sub-folders in a specific folder
dir C:\Users\user\Desktop\
```
```
# List files and subfolders in the current folder in json format
dir -output json
```
## fileinfo
```
# Display information about a file
fileinfo C:\Windows\notepad.exe
```
## findfile
```
# Find file by name
findfile test.txt
```
## getfile
```
# Download a file from a machine
getfile c:\Users\user\Desktop\work.txt
```
```
# Download a file from a machine, automatically run prerequisite commands
getfile c:\Users\user\Desktop\work.txt -auto
```
## processes
```
# Show all processes
processes
```
```
# Get process by pid
processes 123
```
```
# Get process by pid with argument name
processes -pid 123
```
```
# Get process by name
processes -name notepad.exe
```
## putfile
```
# Upload file from library
putfile get-process-by-name.ps1
```
```
# Upload file from library, overwrite file if it exists
putfile get-process-by-name.ps1 -overwrite
```
```
# Upload file from library, keep it on the machine after a restart
putfile get-process-by-name.ps1 -keep
```
## registry
```
# Show information about the values in a registry key
registry HKEY_CURRENT_USER\Console
```
```
# Show information about a specific registry value
registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
```
## remediate
```
# Remediate file in specific path
remediate file c:\Users\user\Desktop\malware.exe
```
```
# Remediate process with specific PID
remediate process 7960
```
```
# See list of all remediated entities
remediate list
```
## run
```
# Run PowerShell script from the library without arguments
run script.ps1
```
```
# Run PowerShell script from the library with arguments
run get-process-by-name.ps1 -parameters "-processName Registry"
```
## scheduledtask
```
# Get all scheduled tasks
scheduledtasks
```
```
# Get specific scheduled task by location and name
scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
```
```
# Get specific scheduled task by location and name with spacing
scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
```
## undo
```
# Restore remediated registry
undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
```
```
# Restore remediated scheduledtask
undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
```
```
# Restore remediated file
undo file c:\Users\user\Desktop\malware.exe
```

255
windows/security/threat-protection/microsoft-defender-atp/live-response.md Normal file
View File

@ -0,0 +1,255 @@
---
title: Investigate entities on machines using live response in Microsoft Defender ATP
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate entities on machines using live response
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Prerelease information](prerelease.md)]
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
With live response, analysts will have the ability to:
- Run basic and advanced commands to do investigative work
- Download files such as malware samples and outcomes of PowerShell scripts
- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
- Take or undo remediation actions
## Before you begin
Before you can initiate a session on a machine, make sure you fulfill the following requirements:
- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
- **Enable live response from the settings page**<br>
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
- **Enable live response unsigned script execution** (optional) <br>
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
- **Ensure that you have the appropriate permissions**<br>
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
## Live response dashboard overview
When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
- Who created the session
- When the session started
- The duration of the session
The dashboard also gives you access to:
- Disconnect session
- Upload files to the library
- Command console
- Command log
## Initiate a live response session on a machine
1. Log in to Microsoft Defender Security Center.
2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
>[!NOTE]
>Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
## Live response commands
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
### Basic commands
The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
Command | Description
:---|:---|:---
cd | Changes the current directory.
cls | Clears the console screen.
connect | Initiates a live response session to the machine.
connections | Shows all the active connections.
dir | Shows a list of files and subdirectories in a directory
drivers | Shows all drivers installed on the machine.
fileinfo | Get information about a file.
findfile | Locates files by a given name on the machine.
help | Provides help information for live response commands.
persistence | Shows all known persistence methods on the machine.
processes | Shows all processes running on the machine.
registry | Shows registry values.
sheduledtasks| Shows all scheduled tasks on the machine.
services | Shows all services on the machine.
trace | Sets the terminal's logging mode to debug.
### Advanced commands
The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
Command | Description
:---|:---
analyze | Analyses the entity with various incrimination engines to reach a verdict.
getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
run | Runs a PowerShell script from the library on the machine.
library | Lists files that were uploaded to the live response library.
putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
undo | Restores an entity that was remediated.
## Use live response commands
The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands#BKMK_c).
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
### Get a file from the machine
For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
>[!NOTE]
>There is a file size limit of 750mb.
### Put a file in the library
Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
**To upload a file in the library:**
1. Click **Upload file to library**.
2. Click **Browse** and select the file.
3. Provide a brief description.
4. Specify if you'd like to overwrite a file with the same name.
5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
6. Click **Confirm**.
7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
### Cancel a command
Anytime during a session, you can cancel a command by pressing CTRL + C.
>[!WARNING]
>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
### Automatically run prerequisite commands
Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
You can use the auto flag to automatically run prerequisite commands, for example:
```
getfile c:\Users\user\Desktop\work.txt -auto
```
## Run a PowerShell script
Before you can run a PowerShell script, you must first upload it to the library.
After uploading the script to the library, use the `run` command to run the script.
If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
>[!WARNING]
>Allowing the use of unsigned scripts may increase your exposure to threats.
## Apply command parameters
- View the console help to learn about command parameters. To learn about an individual command, run:
`help <command name>`
- When applying parameters to commands, note that parameters are handled based on a fixed order:
`<command name> param1 param2`
- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
`<command name> -param2_name param2`
- When using commands that have prerequisite commands, you can use flags:
`<command name> -type file -id <file path> - auto` or `remediate file <file path> - auto`.
## Supported output types
Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
- `-output json`
- `-output table`
>[!NOTE]
>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
## Supported output pipes
Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
Example:
```
processes > output.txt
```
## View the command log
Select the **Command log** tab to see the commands used on the machine during a session.
Each command is tracked with full details such as:
- ID
- Command line
- Duration
- Status and input or output side bar
## Limitations
- Live response sessions are limited to 10 live response sessions at a time
- Large scale command execution is not supported
- A user can only initiate one session at a time
- A machine can only be in one session at a time
- There is a file size limit of 750mb when downloading files from a machine
## Related topic
- [Live response command examples](live-response-command-examples.md)

2
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -42,6 +42,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Live response](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/live-response)<BR> Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) <BR> A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.

12
windows/security/threat-protection/microsoft-defender-atp/user-roles.md
View File

@ -46,6 +46,18 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
>This setting is only available in the Microsoft Defender ATP administrator (default) role.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- **Live response capabilities** - Users can take basic or advanced live response commands. <br>
- Basic commands allow users to:
- Start a live response session
- Run read only live response commands on a remote machine
- Advanced commands allow users to:
- Run basic actions
- Download a file from the remote machine
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
4. Click **Next** to assign the role to an Azure AD group.