This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint.
这就是事件响应系列的最后一部分。在过去的几周中,深入了解了如何使用 KQL 执行事件响应,即使数据未在 Sentinel 或 Microsoft 365 Defender 中摄取。第三部分是讨论如何利用实时响应的最后一部分,实时响应在 Defender For Endpoint 中可用。
The incident response series consists of the following parts:
事件响应系列由以下部分组成:
- Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)
事件响应第 1 部分:Microsoft安全事件的 IR(KQL 版) - Incident Response Part 2: What about the other logs?
事件响应第 2 部分:其他日志呢? - Incident Response Part 3: Leveraging Live Response
事件响应第 3 部分:利用实时响应
Introduction 介绍
To explain the value and the needs around Live Response the following items will be addressed:
为了解释实时响应的价值和需求,将解决以下项目:
Live Response provides security teams with a remote toolkit that enables you to perform additional incident response activities on a device. This provides security teams with a remote shell connection on the device that needs to be investigated.
实时响应为安全团队提供了一个远程工具包,使您能够在设备上执行其他事件响应活动。这为安全团队提供了设备上需要调查的远程 shell 连接。
The Operating Systems that currently support Live Response are:
当前支持实时响应的操作系统包括:
- Windows 10 & 11 视窗 10 和 11
- macOS 苹果操作系统
- Linux Linux目录
- Windows Server 视窗服务器
Before you can use Live Response it needs to be enabled in the Advanced feature tab of the Defender For Endpoint settings, as seen below.
在使用实时响应之前,需要在终结点的 Defender 设置的“高级功能”选项卡中启用它,如下所示。
Enable Live Response 启用实时响应
Once Live Response is enabled and the proper roles are assigned, the analyst can initiate a Live Response Session from the device actions, as seen below.
启用实时响应并分配适当的角色后,分析师可以从设备操作启动实时响应会话,如下所示。
Initate Live Response Session
启动实时响应会话
Permissions 权限
The RBAC model in Defender For Endpoint has a specific section for Live Response Capabilities, which are based on the commands an analyst can run:
Defender For Endpoint 中的 RBAC 模型有一个用于实时响应功能的特定部分,这些部分基于分析师可以运行的命令:
Those RBAC rules can be assigned to specific DeviceGroup. I advise using those DeviceGroups to only assign the least privileges (as you should do for all roles) thus the least devices an analyst can perform Live Response on.
可以将这些 RBAC 规则分配给特定的设备组。我建议使用这些设备组只分配最低权限(您应该为所有角色分配),因此分析师可以对其执行实时响应的设备最少。
Remember that Live Response is a remote shell on an endpoint, so what could go wrong? Limit the accounts that can perform Advanced Commands on devices, since it has the option to run PowerShell scripts from the library, but if you can run one, you can also add one (hey red team!). So in theory you can upload custom scripts to tier0 devices and do a lot of damage, so be aware of this. There is an option in MDE that is off by default but can be turned on which lets you run unsigned PowerShell scripts. As also said in the Microsoft docs: Allowing the use of unsigned scripts may increase your exposure to threats.
请记住,实时响应是终结点上的远程 shell,因此可能会出现什么问题?限制可以在设备上执行高级命令的帐户,因为它可以选择从库中运行 PowerShell 脚本,但如果可以运行一个,也可以添加一个(嘿红队!因此,从理论上讲,您可以将自定义脚本上传到 tier0 设备并造成很大的损害,因此请注意这一点。MDE 中有一个选项默认处于关闭状态,但可以打开该选项,该选项允许您运行未签名的 PowerShell 脚本。正如Microsoft文档中所说:允许使用未签名的脚本可能会增加您面临威胁的风险。
RBAC Model Live Response RBAC 模型实时响应
Live Response Commands 实时响应命令
Microsoft has documented all the commands that can be executed via Live Response. The tables below go over what the syntax is, what the command does and which platforms support the command.
Microsoft记录了可以通过实时响应执行的所有命令。下表介绍了语法是什么、命令的作用以及哪些平台支持该命令。
Basic commands 基本命令
The following commands are available for user roles that are granted the ability to run basic live response commands.
以下命令可用于被授予运行基本实时响应命令能力的用户角色。
Command 命令 | Description 描述 | Windows and Windows Server 视窗和视窗服务器 |
macOS 苹果操作系统 | Linux Linux目录 |
---|---|---|---|---|
cd | Changes the current directory. 更改当前目录。 |
Y | Y | Y |
cls | Clears the console screen. 清除控制台屏幕。 |
Y | Y | Y |
connect 连接 | Initiates a live response session to the device. 启动对设备的实时响应会话。 |
Y | Y | Y |
connections 连接 | Shows all the active connections. 显示所有活动连接。 |
Y | N | N |
dir | Shows a list of files and subdirectories in a directory. 显示目录中的文件和子目录的列表。 |
Y | Y | Y |
drivers 司机 | Shows all drivers installed on the device. 显示设备上安装的所有驱动程序。 |
Y | N | N |
fg <command ID> 盖瑞 <command ID> |
Place the specified job in the foreground, making it the current job. NOTE: fg takes a ‘command ID` available from jobs, not a PID. 将指定的作业放在前台,使其成为当前作业。注意:fg 采用作业中可用的“命令 ID”,而不是 PID。 |
Y | Y | Y |
fileinfo 文件信息 | Get information about a file. 获取有关文件的信息。 |
Y | Y | Y |
findfile 查找文件 | Locates files by a given name on the device. 在设备上按给定名称查找文件。 |
Y | Y | Y |
getfile <file_path> 获取文件 | Downloads a file. 下载文件。 | Y | Y | Y |
help 帮助 | Provides help information for live response commands. 提供实时响应命令的帮助信息。 |
Y | Y | Y |
jobs 工作 | Shows currently running jobs, their ID and status. 显示当前正在运行的作业、其 ID 和状态。 |
Y | Y | Y |
persistence 坚持 | Shows all known persistence methods on the device. 显示设备上所有已知的持久性方法。 |
Y | N | N |
processes 过程 | Shows all processes running on the device. 显示设备上运行的所有进程。 |
Y | Y | Y |
registry 注册表 | Shows registry values. 显示注册表值。 | Y | N | N |
scheduledtasks 计划任务 | Shows all scheduled tasks on the device. 显示设备上的所有计划任务。 |
Y | N | N |
services 服务业 | Shows all services on the device. 显示设备上的所有服务。 |
Y | N | N |
startupfolders 启动文件夹 | Shows all known files in startup folders on the device. 显示设备上启动文件夹中的所有已知文件。 |
Y | N | N |
status 地位 | Shows the status and output of specific command. 显示特定命令的状态和输出。 |
Y | Y | Y |
trace 跟踪 | Sets the terminal’s logging mode to debug. 将终端的日志记录模式设置为调试。 |
Y | Y | Y |
Table source: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/live-response.md
表源:https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/live-response.md
Advanced commands 高级命令
The following commands are available for user roles that are granted the ability to run advanced live response commands.
以下命令可用于被授予运行高级实时响应命令能力的用户角色。
Command 命令 | Description 描述 | Windows and Windows Server 视窗和视窗服务器 |
macOS 苹果操作系统 | Linux Linux目录 |
---|---|---|---|---|
analyze 分析 | Analyses the entity with various incrimination engines to reach a verdict. 使用各种犯罪引擎分析实体以做出判决。 |
Y | N | N |
collect 收集 | Collects forensics package from device. 从设备收集取证包。 |
N | Y | Y |
isolate 隔离 | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service. 断开设备与网络的连接,同时保留与终结点服务的 Defender 的连接。 |
N | Y | N |
release 释放 | Releases a device from network isolation. 将设备从网络隔离中释放出来。 |
N | Y | N |
run | Runs a PowerShell script from the library on the device. 从设备上的库运行 PowerShell 脚本。 |
Y | Y | Y |
library 图书馆 | Lists files that were uploaded to the live response library. 列出上载到实时响应库的文件。 |
Y | Y | Y |
putfile 放文件 | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. 将库中的文件放入设备。文件保存在工作文件夹中,默认情况下在设备重新启动时被删除。 |
Y | Y | Y |
remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y |
scan 扫描 | Runs an antivirus scan to help identify and remediate malware. 运行防病毒扫描以帮助识别和修正恶意软件。 |
N | Y | Y |
undo 撤消 | Restores an entity that was remediated. 还原已修正的实体。 |
Y | N | N |
Table source: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/live-response.md
表源:https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/live-response.md
Practical Examples 实例
Once a Live Response session is initiated on a device the fun can begin. You know that you have established a successful connection with the device if the connect status returns Session established, as seen in the image below. The Live Response prompt provides some additional information about the device, such as its IP, which OS it is running and some data related to the Live Response session. This section will discuss some examples, Microsoft has documented more examples
在设备上启动实时响应会话后,乐趣就可以开始了。如果连接状态返回会话已建立,则您知道您已与设备建立成功的连接,如下图所示。实时响应提示提供有关设备的一些其他信息,例如其 IP、正在运行的操作系统以及与实时响应会话相关的一些数据。本节将讨论一些示例,Microsoft记录了更多示例
Live Response Session Established
实时响应会话已建立
Fileinfo 文件信息
The fileinfo command gets information about a file, awhich OSn example of the execution is seen below. You need to use the cd command to change to the folder you are interested in. This lists when the file was created and when it was last modified. Furthermore, a lot of metadata is shared, for example, if the file is hidden or not. Lastly, the SHA1, MD5, LSH and SHA256 hashes are shared, which can be used in later stages to add them as IOC or hunt for related activities.
fileinfo 命令获取有关文件的信息,如下所示,其中 OSn 执行示例如下所示。您需要使用 cd 命令切换到您感兴趣的文件夹。这将列出文件的创建时间和上次修改时间。此外,许多元数据是共享的,例如,文件是否隐藏。最后,SHA1、MD5、LSH 和 SHA256 哈希是共享的,可以在后期阶段使用它们作为 IOC 添加或搜寻相关活动。
Live Response Audit 实时响应审核
More Examples? Check the Live Response Example section in the Microsoft Docs.
更多例子?请查看Microsoft文档中的实时响应示例部分。
Analyzing files 分析文件
Based on the file information you might want to analyze the file, which is also possible. This can be done by running:
根据文件信息,您可能需要分析文件,这也是可能的。这可以通过运行以下命令来完成:
analyze file FileName.txt
This will again provide some information about the file, but it will mainly provide the file’s behaviour. In the case of this file, MDE performed two scans on the file:
这将再次提供有关文件的一些信息,但它将主要提供文件的行为。对于此文件,MDE 对该文件执行了两次扫描:
- Deep Analysis 深度分析
- Microsoft Defender static analysis
Microsoft 后卫静态分析
Both scans did not find malicious behaviour, resulting in a clean file status. The last part of the report is the most interesting, it shares the behaviour of the file. Which connections are made and what file interactions have been performed.
两次扫描均未发现恶意行为,导致文件状态为干净。报告的最后一部分是最有趣的,它共享文件的行为。建立了哪些连接以及执行了哪些文件交互。
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads> analyze file DFIR-Script.ps1
{
"report": {
"status": "clean",
"file_hash": "bb395fced74d4a36446be8ce8af7e3aedf9d801e28167472d1c0a87c31cf7b9a",
"not_found": 1,
"clean": 1,
"suspicious": 0,
"infected": 0,
"total": 2,
"scans": [
{
"status": "clean",
"scan_time": "2023-09-20T16:32:11.6164503Z",
"source": "Deep Analysis",
"report": null
},
{
"status": "not_found",
"scan_time": "2023-09-20T16:28:04.3376221Z",
"source": "Microsoft Defender static analysis",
"report": null
}
],
"rescan": null,
"threat_type": null,
"behavior": {
"networkTcpIps": [
"fe80::5052:d740:21d8:bb2c",
"ff02::1:3",
"224.0.0.252",
"13.107.4.50",
"ff02::1:2",
"fe80::e8ce:93e9:5411:20b",
"168.62.124.16",
"13.107.48.18",
"104.218.56.90"
],
"files": {
"Created": [
"c:\users\[[deep_analysis_user]]\appdata\roaming\microsoft\windows\recent\customdestinations\8nsg1i8j4247xso0uzvi.temp",
"c:\users\[[deep_analysis_user]]\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms~rf15ec4.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab6f10.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar6f11.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab6f32.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar6f33.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab8377.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar8378.tmp",
"c:\input\dfir-[[deep_analysis_pc]]-2023-09-20\userinformation\activeusers.txt",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab8a48.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar8a49.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab8af6.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar8af7.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab8b23.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar8b24.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cab8b92.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tar8b93.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cabae0d.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tarae0e.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\cabae2f.tmp",
"c:\users\[[deep_analysis_user]]\appdata\local\temp\tarae30.tmp"
],
"Modified": null,
"Deleted": null
}
},
"has_file": false
},
"scan_status": "clean"
}
All commands and scripts that are executed on any device are logged in the command log. This section could also be used to identify which commands have been executed and if data has been uploaded or exfiltrated from the device.
在任何设备上执行的所有命令和脚本都记录在命令日志中。此部分还可用于识别已执行的命令以及是否已从设备上传或泄露数据。
Live Response Audit 实时响应审核
Incident Response Scripts
事件响应脚本
The real value of Live Response can be leveraged when custom scripts are uploaded. Those scripts are not limited to the basic or advanced syntax, thus can execute more powerful scripts. The Incident Response PowerShell repository contains several scripts that can help you to perform IR, one of them is discussed below.
上传自定义脚本时,可以利用实时响应的真正价值。这些脚本不限于基本或高级语法,因此可以执行更强大的脚本。事件响应 PowerShell 存储库包含多个脚本,可帮助您执行 IR,下面将讨论其中一个脚本。
Let’s first start by adding a custom PowerShell script to our Live Response library. This can be done in the right top corner (see image below), by clicking upload file to library.
让我们首先将自定义 PowerShell 脚本添加到实时响应库。这可以在右上角(见下图)完成,方法是单击将文件上传到库。
Upload custom IR script 上传自定义 IR 脚本
Once the scripts have been uploaded the library command can be executed to list all the available IR scripts. In our case, the DFIR-script.ps1 is uploaded and ready to be used.
上传脚本后,可以执行库命令以列出所有可用的 IR 脚本。在我们的例子中,DFIR-script.ps1 已上传并准备好使用。
List uploaded scripts 列出上传的脚本
DFIR Script DFIR 脚本
The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named ‘DFIR-hostname-year-month-date’. This folder is zipped at the end so that the folder can be remotely collected.
DFIR 脚本从多个源收集信息,并在名为“DFIR-hostname-year-month-date”的文件夹中构建当前目录中的输出。此文件夹在末尾压缩,以便可以远程收集该文件夹。
- Local IP Info 本地 IP 信息
- Open Connections 打开连接
- Aautorun Information (Startup Folder & Registry Run keys)
自动运行信息(启动文件夹和注册表运行键) - Active Users 活跃用户
- Local Users 本地用户
- Connections Made From Office Applications
从办公应用程序建立的连接 - Active SMB Shares 活跃的中小企业份额
- RDP Sessions RDP 会话
- Active Processes 活动进程
- Active USB Connections 活动 USB 连接
- Powershell History Powershell历史
- DNS Cache 域名解析缓存
- Installed Drivers 已安装的驱动程序
- Installed Software 已安装的软件
- Running Services 运行服务
- Scheduled Tasks 计划任务
For the best experience run the script as admin, then the following items will also be collected:
为了获得最佳体验,以管理员身份运行脚本,然后还将收集以下项目:
- Windows Security Events 视窗安全事件
- Remotely Opened Files 远程打开的文件
- Shadow Copies 卷影副本
Execute DFIR Script 执行 DFIR 脚本
The DFIR script can be executed by running the following command:
可以通过运行以下命令来执行 DFIR 脚本:
run DFIR-script.ps1
DFIR Script Execution DFIR 脚本执行
This script outputs all the results in a .zip as mentioned above. But this .zip file is stored on the remote device. Of course, we can use live response to collect the file for further analysis. This can be done by using the getfile command. This downloads the file to your local machine.
此脚本以.zip输出所有结果,如上所述。但是这个.zip文件存储在远程设备上。当然,我们可以使用实时响应来收集文件以进行进一步分析。这可以通过使用 getfile 命令来完成。这会将文件下载到本地计算机。
Collect output 收集输出
Now the incident responder can investigate the logs for malicious content. This can be really valuable since more information can be collected this way, than by collecting the Investigation Package.
现在,事件响应者可以调查日志中的恶意内容。这可能非常有价值,因为通过这种方式可以收集更多信息,而不是通过收集调查包。
DFIR Script ouput DFIR 脚本输出
集合窗口安全事件
Even though you might not ingest Windows Security Events in your SIEM, they can still add value in your incident response process. The script to collect the events and output them as CSV is already available for you: CollectWindowsSecurityEvents.ps1. Now it is up to you to replicate the steps above to upload, run and collect the results.
即使你可能没有在 SIEM 中引入 Windows 安全事件,它们仍可以在事件响应过程中增加价值。用于收集事件并将其输出为 CSV 的脚本已可供您使用:CollectWindowsSecurityEvents.ps1。现在由您复制上述步骤来上传、运行和收集结果。
To analyze the Windows Security events take a look at Part 2 of the Incident Response series, that part will explain how you can analyze the results using Data Explorer.
若要分析 Windows 安全中心事件,请查看事件响应系列的第 2 部分,该部分将介绍如何使用数据资源管理器分析结果。
Community Scripts 社区脚本
Before you start asking CHAT-GPT or BingChat to create some incident response PowerShell scripts have a look at what the community already provided.
在开始要求 CHAT-GPT 或 BingChat 创建一些事件响应 PowerShell 脚本之前,请查看社区已经提供的内容。
- Powershell Digital Forensics & Incident Response
- M365 MDATP Live Response sample scripts
M365 MDATP 实时响应示例脚本 - Remote collection of Windows Forensic Artifacts using KAPE and Microsoft Defender for Endpoint
使用 KAPE 和 Microsoft Defender for Endpoint 远程收集 Windows 取证工件
Conclusion 结论
This was the last part of the incident response series, covering responding using KQL, Azure Data Explorer and Live Response. I hope that you learned a thing or two ;). What all the parts of the series have in common is that preparation is key! All examples that are shown can be used very effectively, but you need to test and tune them to your environment beforehand.
这是事件响应系列的最后一部分,介绍如何使用 KQL、Azure 数据资源管理器和实时响应进行响应。我希望你;)学到一两件事。该系列的所有部分的共同点是准备是关键!显示的所有示例都可以非常有效地使用,但您需要事先根据环境进行测试和调整它们。
Some tips from my side to prepare for incident response scenarios:
我这边为事件响应方案做准备的一些提示:
- Prepare (or gather) KQL queries for common attack scenarios that will help you effectively investigate suspicious actions.
为常见攻击方案准备(或收集)KQL 查询,以帮助你有效地调查可疑操作。 - Research which common techniques are covered in the data you ingest in your SIEM solution. If possible fill the gaps with data you can collect when needed. This data can then be analyzed with KQL using Data Explorer as discussed in Part 2.
研究在 SIEM 解决方案中引入的数据中涵盖了哪些常用技术。如果可能的话,你可以在需要时用收集的数据来填补空白。然后,可以使用数据资源管理器使用 KQL 分析此数据,如第 2 部分所述。 - Prepare (or gather) live response scripts that can cover the gaps as mentioned in step 2.
准备(或收集)实时响应脚本,以弥补步骤 2 中提到的差距。 - Test, test and test. Run a scenario and see what happened, not only on the technical side but also on the people and process part.
测试,测试再测试。运行一个场景,看看发生了什么,不仅在技术方面,而且在人员和流程方面。
Questions? Feel free to reach out to me on any of my socials.
问题?随时在我的任何社交网站上与我联系。
: