mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-11 12:07:23 +00:00
226 lines
4.4 KiB
Markdown
226 lines
4.4 KiB
Markdown
---
|
|
title: Live response command examples
|
|
description: Learn about common commands and see examples on how it's used
|
|
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
|
|
search.product: eADQiWindows 10XVcnh
|
|
search.appverid: met150
|
|
ms.prod: w10
|
|
ms.mktglfcycl: deploy
|
|
ms.sitesec: library
|
|
ms.pagetype: security
|
|
ms.author: macapara
|
|
author: mjcaparas
|
|
ms.localizationpriority: medium
|
|
manager: dansimp
|
|
audience: ITPro
|
|
ms.collection: M365-security-compliance
|
|
ms.topic: article
|
|
---
|
|
|
|
# Live response command examples
|
|
|
|
**Applies to:**
|
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
|
|
|
|
|
Learn about common commands used in live response and see examples on how they are typically used.
|
|
|
|
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md).
|
|
|
|
|
|
## analyze
|
|
|
|
```
|
|
# Analyze the file malware.txt
|
|
analyze file c:\Users\user\Desktop\malware.txt
|
|
```
|
|
|
|
```
|
|
# Analyze the process by PID
|
|
analyze process 1234
|
|
```
|
|
|
|
## connections
|
|
|
|
```
|
|
# List active connections in json format using parameter name
|
|
connections -output json
|
|
```
|
|
|
|
```
|
|
# List active connections in json format without parameter name
|
|
connections json
|
|
```
|
|
|
|
## dir
|
|
|
|
```
|
|
# List files and sub-folders in the current folder
|
|
dir
|
|
```
|
|
|
|
```
|
|
# List files and sub-folders in a specific folder
|
|
dir C:\Users\user\Desktop\
|
|
```
|
|
|
|
```
|
|
# List files and subfolders in the current folder in json format
|
|
dir -output json
|
|
```
|
|
|
|
## fileinfo
|
|
|
|
```
|
|
# Display information about a file
|
|
fileinfo C:\Windows\notepad.exe
|
|
```
|
|
|
|
## findfile
|
|
|
|
```
|
|
# Find file by name
|
|
findfile test.txt
|
|
```
|
|
|
|
## getfile
|
|
|
|
```
|
|
# Download a file from a machine
|
|
getfile c:\Users\user\Desktop\work.txt
|
|
```
|
|
|
|
```
|
|
# Download a file from a machine, automatically run prerequisite commands
|
|
getfile c:\Users\user\Desktop\work.txt -auto
|
|
```
|
|
|
|
>[!NOTE]
|
|
>
|
|
> The following file types **cannot** be downloaded using this command from within Live Response:
|
|
>
|
|
> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
|
|
> * [Sparse files](/windows/desktop/fileio/sparse-files/)
|
|
> * Empty files
|
|
> * Virtual files, or files that are not fully present locally
|
|
>
|
|
> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/).
|
|
>
|
|
> Use PowerShell as an alternative, if you have problems using this command from within Live Response.
|
|
|
|
## processes
|
|
```
|
|
# Show all processes
|
|
processes
|
|
```
|
|
|
|
```
|
|
# Get process by pid
|
|
processes 123
|
|
```
|
|
|
|
```
|
|
# Get process by pid with argument name
|
|
processes -pid 123
|
|
```
|
|
|
|
```
|
|
# Get process by name
|
|
processes -name notepad.exe
|
|
```
|
|
|
|
## putfile
|
|
|
|
```
|
|
# Upload file from library
|
|
putfile get-process-by-name.ps1
|
|
```
|
|
|
|
```
|
|
# Upload file from library, overwrite file if it exists
|
|
putfile get-process-by-name.ps1 -overwrite
|
|
```
|
|
|
|
```
|
|
# Upload file from library, keep it on the machine after a restart
|
|
putfile get-process-by-name.ps1 -keep
|
|
```
|
|
|
|
## registry
|
|
|
|
```
|
|
# Show information about the values in a registry key
|
|
registry HKEY_CURRENT_USER\Console
|
|
```
|
|
|
|
```
|
|
# Show information about a specific registry value
|
|
registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
|
|
```
|
|
|
|
|
|
## remediate
|
|
|
|
```
|
|
# Remediate file in specific path
|
|
remediate file c:\Users\user\Desktop\malware.exe
|
|
```
|
|
|
|
```
|
|
# Remediate process with specific PID
|
|
remediate process 7960
|
|
```
|
|
|
|
```
|
|
# See list of all remediated entities
|
|
remediate list
|
|
```
|
|
|
|
## run
|
|
|
|
```
|
|
# Run PowerShell script from the library without arguments
|
|
run script.ps1
|
|
```
|
|
|
|
```
|
|
# Run PowerShell script from the library with arguments
|
|
run get-process-by-name.ps1 -parameters "-processName Registry"
|
|
```
|
|
|
|
## scheduledtask
|
|
|
|
```
|
|
# Get all scheduled tasks
|
|
scheduledtasks
|
|
```
|
|
|
|
```
|
|
# Get specific scheduled task by location and name
|
|
scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
|
|
```
|
|
|
|
```
|
|
# Get specific scheduled task by location and name with spacing
|
|
scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
|
|
```
|
|
|
|
|
|
## undo
|
|
|
|
```
|
|
# Restore remediated registry
|
|
undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
|
|
```
|
|
|
|
```
|
|
# Restore remediated scheduledtask
|
|
undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
|
|
```
|
|
|
|
```
|
|
# Restore remediated file
|
|
undo file c:\Users\user\Desktop\malware.exe
|
|
```
|
|
|