Microsoft Defender for Endpoint – MD ATP Daily Operation – Part 2

ezgif.com-gif-maker.gif

NOTE: As of late September, the Microsoft ATP product line has been renamed to Microsoft for Endpoint!

Dear IT Pros,  

I would like to continue on Part 2 of the Windows ATP Operation with tasks handled by ATP operators, ATP administrator.

Creating Alert Notification 

Alert Notification settings are configured to send alert email messages to the Security Team and other teams. 

To setup Alert Notification: 

  • In ATP Portal, go to SettingsGeneralAlert notification
  • Add Item     
1.png
  • Enter Rule name, eg: Sent High Severity Alert to Secops Team
  • Choose options: include organization name, tenant-specific portal link, and device information
  • Choose alert severity: High, Medium, Low
  • Next,
    2.png
  • Enter Group's email address
  • Send test email and Save
5.png

 Live Response to remote device

Live response gives you remote access to the target device by remote shell connection. It enables security admin to run command, script, and collect forensic data,  send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats on the remote device. 

To Enable Live Response for ATP devices: 

  • In ATP Portal, go to SettingsGeneralAdvanced features 
  • Turn on Live Response
  • Turn on (optional) Live Response unsigned script execution
  • Save Preferences 
3.png

To Run Live Response Remote Access to Device: 

  1. Client Prerequisite:
    • Windows 10 version 1909 or later.  
    • For other Windows 10 versions:   Make sure to install appropriate updates (live response feature included in these updates). 

      Windows 10-1903:          KB4515384
      Windows 10-1809 (RS5): KB4537818
      Windows 10-1803 (RS4): KB4537795
      Windows 10-1709 (RS3): KB4537816 

    • The Target Machine is member of a Device Group with Semi or Full Remediation of  Level as shown  :
4.png

 For Dynamic Device Group, please refer to “ATP Daily Operation – Part 1″ for more detail.

 To Run the command or script in live response session. 

 In live response session, you could run one of the commands in the following table of commands:

CommandDescription
cdChanges the current directory.
clsClears the console screen.
connectInitiates a live response session to the device.
connectionsShows all the active connections.
dirShows a list of files and subdirectories in a directory.
Downloads a file in the background.
driversShows all drivers installed on the device.
Returns a file download to the foreground.
fileinfoGet information about a file. (10GB max size limit)
findfileLocates files by a given name on the device.
helpProvides help information for live response commands.
persistenceShows all known persistence methods on the device.
processesShows all processes running on the device.
registryShows registry values.
scheduledtasksShows all scheduled tasks on the device.
servicesShows all services on the device.
traceSets the terminal's logging mode to debug.

Advanced commands 

The following advanced commands are for the user roles that are granted the ability to run advanced live response commands such as ATP Administrator Role: 

Gets a file from the device. (3GB max size limit) 
NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with getfile to automatically run the prerequisite command.

ADVANCED COMMANDS

CommandDescription
analyzeAnalyses the entity with various incrimination engines to reach a verdict.
getfileGets a file from the device. (3GB max size limit) 
NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with getfile to automatically run the prerequisite command. 
runRuns a PowerShell script from the library on the device.
libraryLists files that were uploaded to the live response library. (250MB max size limit)
putfilePuts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
remediateRemediates an entity on the device. The remediation action will vary depending on the entity type: 
– File: delete 
– Process: stop, delete image file 
– Service: stop, delete image file 
– Registry entry: delete 
– Scheduled task: remove 
– Startup folder item: delete file 
NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command.
undoRestores an entity that was remediated.

To run Powershell Script in live response: 

The library stores files (such as ) that can be run in a live response session at the tenant level. PowerShell must first be placed in the library before you can run them.

Upload the script file in the library and run script 

Click Upload file to library.
 TanTran_10-1601515615686.png

  • Click Browse and select the file.
  • Provide a brief description. 
  • Specify if you'd like to overwrite a file with the same name. 
  • If you'd like to be known what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. 
  • Click Confirm. 
  • (Optional) To verify that the file was uploaded to the library, run the library command. 
  • Run the script with command: Run scriptname.ps1 
6.png

Cancel a command 

Anytime during a session, you can cancel a command by pressing CTRL + C. 

Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal.  

Automatically run prerequisite commands 

Some commands have prerequisite command's to run parallelly. If you don't run the prerequisite command, you would get an error. For example, running the download command without fileinfo will return an error. 

You can use the auto flag to automatically run prerequisite commands,: 

getfile c:UsersuserDesktopwork.txt -auto 

Apply command parameters 

When using commands that have prerequisite commands, you can use flags: 

<command name> -type file -id <file path> - auto  

Supported output types 

Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: 

  • -output json 
  • -output table 

 Note: Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. 

View the command log 

Select the Command log tab to see the commands used on the device during a session. Each command is tracked with full details, ID, Command line, Duration, Status and input or output side bar 

Examples: 

  • Analyze a file 
     analyze -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsKnownMalicious.exe -auto
TanTran_14-1601515615665.png
  • Analyze File in remote machine and Auto Download to local Workstation in the “Downloads” Folder: 
analyze -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsKnownMalicious.exe -auto > AnalyzedKnownMalicious.txt 
  • Remediating a file (delete file) 
C:>remediate -type file -id C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe -auto 

or  

C:>remediate file C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe -auto 
  • To download file from the remote target device to your local workstation 
C:getfile "C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe" -auto 

or  

C:> download "C:UsersCMAdmin.FourthCoffeeDownloadsFreeVideo.exe" -auto 
7.png
  • To list on connection of the remote target device 
C:> connections 
TanTran_17-1601515615690.png
  • To list the registry key and value of the remote target device 
C:> registry "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Defender" 
TanTran_18-1601515615694.png
  • Creating a test script, upload to Library and run script: 

Example: creating ATPTest.ps1 with the following content: 

Dir c:usersCMAdmin.Contoso.comdownloads > C:tempdowload_files.txt 

Upload script named “ATPTest.ps1” to Library and run the script 

TanTran_19-1601515615672.png

Download result of run content to your local workstation under “downloads” folder 

Download “C:Tempdownload_files.txt” -auto 
8.png

I hope the information is useful to your daily ATP operation monitoring. 

Cheer! 

References: 

Live Response Investigation:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-response#:~:text=Microsoft%20Defender%20Advanced%20Threat%20Protection%20%28Microsoft%20Defender%20ATP%29,as%20a%20machine%29%20using%20a%20remote%20shell%20connection.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples

Video about Live Response

https://www.bing.com/videos/search?q=microsoft+live+response+advanced+threat+protection+video&docid=608005478874219990&mid=593DC3A568771CBCEF01593DC3A568771CBCEF01&view=detail&FORM=VIRE

__________________________

Disclaimer 

The sample are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. 

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.