If you haven’t familiarized yourself with Microsoft Defender for Endpoint live response, this is a simple exercise to perform a live response while using the scripts library and storing a simple and straightforward PowerShell script that restarts the endpoint, something that is not available through Microsoft 365 Defender portal.

What is live response?

Live response allows security analysts to connect to an endpoint using a remote shell connection. It provides the means to perform in-depth investigations and materialize incident response actions.

Live response includes collecting forensic data, running scripts, sending suspicious entities for analysis, remediating threats, and proactively hunting for emerging threats.

Amongst others, you can:

• Run basic and advanced commands to do investigative work on a device.
• Download files such as malware samples and outcomes of PowerShell scripts.
• Download files in the background.
• Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
• Take or undo remediation actions.

Step 1 – Create the PowerShell script

Unless you use any fancy text editor, simply open Notepad, insert the following script and save it as “Restart-Computer.ps1”.

Restart-Computer -Force

This script will skip the default confirmation and will proceed to restart the endpoint.

Step 2 – Commence a live response session

Navigate at the endpoint’s page and choose “Initiate Live Response Session”. Then, click on “Upload file to library”. Choose the script created at Step 1, add a distinctive description and click “Confirm”.

If you type “library” at the command prompt you should be able to see the file you uploaded with the following information:

• Filename
• Description
• Date/Time uploaded

Step 3 – Run the script

Now that you know your library content, you may run your script by using the following command:

run Restart-Computer.ps1

If everything worked as expected, your endpoint should be restarting.

Bonus Step – Verify restart

If you would like to be a step ahead, you may verify the endpoint’s restart action simply by creating and uploading a new PowerShell file with the following script in content:

systeminfo | find "System Boot Time"

Save it as “Restart-Computer-Verify.ps1”, upload it in the library and run it. You should be able to the result as per below.

Key takeaways

• Microsoft Defender for Endpoint live response is a powerful tool and this is a simple exercise to familiarize with the environment and the capability to run PowerShell scripts.
• I wouldn’t recommend adding scripts that are not necessary, in order to keep your library “clean” with the tools you need in case you commence an actual live response action.
• Always make sure you test and verify your scripts before adding them to your regular operations (and in your library of course) as it would be catastrophic to try and response while troubleshooting your scripts at the same time.

References

• Investigate entities on devices using live response
• Live response command examples