Incident Response Part 3: Leveraging Live Response

This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint.

The incident response series consists of the following parts:

  1. Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)
  2. Incident Response Part 2: What about the other logs?
  3. Incident Response Part 3: Leveraging Live Response


To explain the value and the needs around Live Response the following items will be addressed:

Live Response provides security teams with a remote toolkit that enables you to perform additional incident response activities on a device. This provides security teams with a remote shell connection on the device that needs to be investigated.

The Operating Systems that currently support Live Response are:

  • Windows 10 & 11
  • macOS
  • Linux
  • Windows Server

Before you can use Live Response it needs to be enabled in the Advanced feature tab of the Defender For Endpoint settings, as seen below.

Enable Live Response

Once Live Response is enabled and the proper roles are assigned, the analyst can initiate a Live Response Session from the device actions, as seen below.

Initate Live Response Session


The RBAC model in Defender For Endpoint has a specific section for Live Response Capabilities, which are based on the commands an analyst can run:

Those RBAC rules can be assigned to specific DeviceGroup. I advise using those DeviceGroups to only assign the least privileges (as you should do for all roles) thus the least devices an analyst can perform Live Response on.

Remember that Live Response is a remote shell on an endpoint, so what could go wrong? Limit the accounts that can perform Advanced Commands on devices, since it has the option to run PowerShell scripts from the library, but if you can run one, you can also add one (hey red team!). So in theory you can upload custom scripts to tier0 devices and do a lot of damage, so be aware of this. There is an option in MDE that is off by default but can be turned on which lets you run unsigned PowerShell scripts. As also said in the Microsoft docs: Allowing the use of unsigned scripts may increase your exposure to threats.

RBAC Model Live Response

Live Response Commands

Microsoft has documented all the commands that can be executed via Live Response. The tables below go over what the syntax is, what the command does and which platforms support the command.

Basic commands

The following commands are available for user roles that are granted the ability to run basic live response commands.

CommandDescriptionWindows and Windows ServermacOSLinux
cdChanges the current directory.YYY
clsClears the console screen.YYY
connectInitiates a live response session to the device.YYY
connectionsShows all the active connections.YNN
dirShows a list of files and subdirectories in a directory.YYY
driversShows all drivers installed on the device.YNN
fg <command ID>Place the specified job in the foreground, making it the current job. NOTE: fg takes a ‘command ID` available from jobs, not a PID.YYY
fileinfoGet information about a file.YYY
findfileLocates files by a given name on the device.YYY
getfile <file_path>Downloads a file.YYY
helpProvides help information for live response commands.YYY
jobsShows currently running jobs, their ID and status.YYY
persistenceShows all known persistence methods on the device.YNN
processesShows all processes running on the device.YYY
registryShows registry values.YNN
scheduledtasksShows all scheduled tasks on the device.YNN
servicesShows all services on the device.YNN
startupfoldersShows all known files in startup folders on the device.YNN
statusShows the status and output of specific command.YYY
traceSets the terminal’s logging mode to debug.YYY

Table source:

Advanced commands

The following commands are available for user roles that are granted the ability to run advanced live response commands.

CommandDescriptionWindows and Windows ServermacOSLinux
analyzeAnalyses the entity with various incrimination engines to reach a verdict.YNN
collectCollects forensics package from device.NYY
isolateDisconnects the device from the network while retaining connectivity to the Defender for Endpoint service.NYN
releaseReleases a device from network isolation.NYN
runRuns a PowerShell script from the library on the device.YYY
libraryLists files that were uploaded to the live response library.YYY
putfilePuts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.YYY
remediateRemediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command.YYY
scanRuns an antivirus scan to help identify and remediate malware.NYY
undoRestores an entity that was remediated.YNN

Table source:

Practical Examples

Once a Live Response session is initiated on a device the fun can begin. You know that you have established a successful connection with the device if the connect status returns Session established, as seen in the image below. The Live Response prompt provides some additional information about the device, such as its IP, which OS it is running and some data related to the Live Response session. This section will discuss some examples, Microsoft has documented more examples

Live Response Session Established


The fileinfo command gets information about a file, awhich OSn example of the execution is seen below. You need to use the cd command to change to the folder you are interested in. This lists when the file was created and when it was last modified. Furthermore, a lot of metadata is shared, for example, if the file is hidden or not. Lastly, the SHA1, MD5, LSH and SHA256 hashes are shared, which can be used in later stages to add them as IOC or hunt for related activities.

Live Response Audit

More Examples? Check the Live Response Example section in the Microsoft Docs.

Analyzing files

Based on the file information you might want to analyze the file, which is also possible. This can be done by running:

analyze file FileName.txt

This will again provide some information about the file, but it will mainly provide the file’s behaviour. In the case of this file, MDE performed two scans on the file:

  • Deep Analysis
  • Microsoft Defender static analysis

Both scans did not find malicious behaviour, resulting in a clean file status. The last part of the report is the most interesting, it shares the behaviour of the file. Which connections are made and what file interactions have been performed.

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads> analyze file DFIR-Script.ps1
  "report": {
    "status": "clean",
    "file_hash": "bb395fced74d4a36446be8ce8af7e3aedf9d801e28167472d1c0a87c31cf7b9a",
    "not_found": 1,
    "clean": 1,
    "suspicious": 0,
    "infected": 0,
    "total": 2,
    "scans": [
        "status": "clean",
        "scan_time": "2023-09-20T16:32:11.6164503Z",
        "source": "Deep Analysis",
        "report": null
        "status": "not_found",
        "scan_time": "2023-09-20T16:28:04.3376221Z",
        "source": "Microsoft Defender static analysis",
        "report": null
    "rescan": null,
    "threat_type": null,
    "behavior": {
      "networkTcpIps": [
      "files": {
        "Created": [
        "Modified": null,
        "Deleted": null
    "has_file": false
  "scan_status": "clean"
Audit Live Response

All commands and scripts that are executed on any device are logged in the command log. This section could also be used to identify which commands have been executed and if data has been uploaded or exfiltrated from the device.

Live Response Audit

Incident Response Scripts

The real value of Live Response can be leveraged when custom scripts are uploaded. Those scripts are not limited to the basic or advanced syntax, thus can execute more powerful scripts. The Incident Response PowerShell repository contains several scripts that can help you to perform IR, one of them is discussed below.

Let’s first start by adding a custom PowerShell script to our Live Response library. This can be done in the right top corner (see image below), by clicking upload file to library.

Upload custom IR script

Once the scripts have been uploaded the library command can be executed to list all the available IR scripts. In our case, the DFIR-script.ps1 is uploaded and ready to be used.

List uploaded scripts

DFIR Script

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named ‘DFIR-hostname-year-month-date’. This folder is zipped at the end so that the folder can be remotely collected.

  • Local IP Info
  • Open Connections
  • Aautorun Information (Startup Folder & Registry Run keys)
  • Active Users
  • Local Users
  • Connections Made From Office Applications
  • Active SMB Shares
  • RDP Sessions
  • Active Processes
  • Active USB Connections
  • Powershell History
  • DNS Cache
  • Installed Drivers
  • Installed Software
  • Running Services
  • Scheduled Tasks

For the best experience run the script as admin, then the following items will also be collected:

  • Windows Security Events
  • Remotely Opened Files
  • Shadow Copies

Execute DFIR Script

The DFIR script can be executed by running the following command:

run DFIR-script.ps1

DFIR Script Execution

This script outputs all the results in a .zip as mentioned above. But this .zip file is stored on the remote device. Of course, we can use live response to collect the file for further analysis. This can be done by using the getfile command. This downloads the file to your local machine.

Collect output

Now the incident responder can investigate the logs for malicious content. This can be really valuable since more information can be collected this way, than by collecting the Investigation Package.

DFIR Script ouput

Collection Windows Security Events

Even though you might not ingest Windows Security Events in your SIEM, they can still add value in your incident response process. The script to collect the events and output them as CSV is already available for you: CollectWindowsSecurityEvents.ps1. Now it is up to you to replicate the steps above to upload, run and collect the results.

To analyze the Windows Security events take a look at Part 2 of the Incident Response series, that part will explain how you can analyze the results using Data Explorer.

Community Scripts

Before you start asking CHAT-GPT or BingChat to create some incident response PowerShell scripts have a look at what the community already provided.


This was the last part of the incident response series, covering responding using KQL, Azure Data Explorer and Live Response. I hope that you learned a thing or two ;). What all the parts of the series have in common is that preparation is key! All examples that are shown can be used very effectively, but you need to test and tune them to your environment beforehand.

Some tips from my side to prepare for incident response scenarios:

  1. Prepare (or gather) KQL queries for common attack scenarios that will help you effectively investigate suspicious actions.
  2. Research which common techniques are covered in the data you ingest in your SIEM solution. If possible fill the gaps with data you can collect when needed. This data can then be analyzed with KQL using Data Explorer as discussed in Part 2.
  3. Prepare (or gather) live response scripts that can cover the gaps as mentioned in step 2.
  4. Test, test and test. Run a scenario and see what happened, not only on the technical side but also on the people and process part.

Questions? Feel free to reach out to me on any of my socials.