MDE ‐ Live Response Overview - mattnovitsch/M365 GitHub Wiki

Summary

I have been asked a couple of times now about how to use live response and the benefit of it. In my opinion, live response is great for getting on an endpoint collecting data or correcting situations.

Top customer situations:

  1. Need to kick off an antivirus scan(you could use the console also)
  2. Need to make a configuration change on the endpoint
  3. Need to remotely wipe the machine(this is assuming you don't want or don't have Intune)
  4. Remove a device from MDE Management
  5. Get a file from an endpoint

Perquisites

  • Live Reponse Configured
  • PowerShell Scripts or knowledge to create them

Basic settings

To access Live Response, you will need to navigate to the device, Device Inventory is a one of the locations. Click on the ellipses and click on Initiate Live Response.
image

You can upload PowerShell scripts to your tenant library in the top right corner. image

For the most recent commands, please view them here.

Situations

Need to kick off an antivirus scan

The script for this is pretty easy: cd 'C:\Program Files\Windows Defender\' .\MpCmdRun.exe -scan -scantype 1

image

If you wanted to scan a USB drive, you can do this: $USBDriveLetter = Get-WmiObject Win32_Volume -Filter "DriveType='2'" cd "C:\Program Files\Windows Defender" .\MpCmdRun.exe -Scan -ScanType 2 -file $USBDriveLetter.DriveLetter $USBDriveLetter.DriveLetter

image

I'm kicking off a quick scan, but you can do whichever you need(documentation below).

Now that we have the script, save it and upload it to your library. image

Validate the script was uploaded using the library command to list all your files. image

Upload the file to the endpoint: putfile RunQuickScan.ps1 image

You should get this once its done. image

Need to make a configuration change on the endpoint

As there can be a lot of different changes we can make to the endpoint with either PowerShell or with the commands available. We are going to stop a process, I opened Notepad as an example. image

Now lets find the process with. processes -name notepad.exe Keep track of the pid. image

Let's pretend it was something we wanted to quarantine. remediate process 11096 image

Since the file is quarantined and no longer a threat I can disconnect or document anything else that I might need to do.

Need to remotely wipe the machine

Let's say you are not using Intune or something came up where you need to wipe a device immediately. Well we need to script that out, I found the one Microsoft had posted here: MDM_RemoteWipe class $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_RemoteWipe" $methodName = "doWipeMethod" $session = New-CimSession $params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection $param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In") $params.Add($param) try { $instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'" $session.InvokeMethod($namespaceName, $instance, $methodName, $params) } catch [Exception] { write-host $_ | out-string }

image

Upload the script to the Library. image

Validate the script uploaded. image

Upload the file to the endpoint. image

Run the script. image

Once the script runs, the system will restart right away. Your Live Response will disconnect or error out shortly after.

Remove a device from MDE Management

A good example for this one is that a device was onboarded to your tenant but it was a personal device. Since its a person device you don't want to push any configurations to it so we can offboard it from Live Response (you can do it from API as well).

We need to download the offboarding script for Defender for Endpoints (it has a small time to live so we have to get it one every 7 days). Make sure you use the Group Policy method so it doesn't require interaction. image

Open the zip file and extract the CMD file somewhere. I'm extracting it to c:\Tools. image

Creating the PowerShell is just calling the cmd file we extracted. image

Now you have to upload both files to the Library. image

image

Validate the files made it. image

Upload the files to the endpoint. image

Run the PowerShell Script. image

Validate offboarding was successful. registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\\OnboardingState' image

Get a file from an endpoint

Connect to the endpoint you need to grab a file from. Then lets find the file: findfile test.txt image

Now that we have the path lets download it.

  • File can't be empty as you can see from the error message. I added some data to the file and tried again. You can see the file is available in my browser download from there. image

References