17.3. Collect with Windows Defender for Endpoints¶
You can deploy the Cyber Triage Collector tool with Windows Defender for Endpoint using the Live Response feature. This allows you to collect the artifacts over the network without needing to use the PsExec-based approach that comes with Cyber Triage (see Network - PsExec).
Live Response is currently available with:
Microsoft Defender for Endpoint Plan 2
Microsoft Defender XDR
17.3.1. Live Response Basics¶
The official Microsoft documentation should be referred to for details of Live Response, but let’s cover the basic concepts:
Live Response gives you access to a command prompt on a remote system
It works on a subset of Windows versions and must be enabled
The Defender server can store files that get pushed to the endpoint when a live response session is started.
The basic approach for deploying Cyber Triage Collector will be to:
Edit the Cyber Triage Deployer script to meet your use case
Upload the Deployer script to the library in your Defender account
Create live sessions as needed and manually run the Deployer
17.3.2. Starting a Live Response Session¶
Currently, all Live Response configuration requires you to make at least one session. So, we’ll cover that first before we get into the configuration.
Log into your Defender account.
Choose the device you want to create the Live Response session on. You can do this from the list of devices from the left-hand menu. Or, you can do it from an alert.
Choose ‘Initiate Live Response Session’. That will then open a command prompt dialog.
17.3.3. Prepare Defender for Collection¶
There are four main preparation steps to make it easy to deploy the Cyber Triage Collector.
Configure Defender as needed to run unsigned Powershell scripts in Live Response. See the Windows documentation outlined above.
Download the Deployer Powershell script from the website. This script will be what Defender runs and it is responsible for getting the Collector onto the system and running it.
Configure the script as outlined in the Collector Deployer Powershell Script section. You’ll need to make decisions about where data will be sent, etc. More details are provided below.
Upload the script to the Live Response library as outlined below.
17.3.3.1. Deployer Configuration Suggestions¶
Each EDR has different features for deploying forensic collectors. Some special notes for Defender include:
It will kill a session if you do not type something into it after 30 minutes. Some Cyber Triage collections take longer than this, so we run it as a different process that can run even if the session is killed.
The files from the library are saved to a “Download” folder in “C:ProgramData”, but the Cyber Triage Collector can not write to that folder. It needs to write somewhere else, such as a Temp folder.
Defender will only copy files back that is 3GB or less. While rare, The Cyber Triage Collector output can be that large.
The Deployer script supports a variety of scenarios that you must pick from. We recommend:
Let the script download the collector from the Cyber Triage website as long as you are running the latest version of the software.
Have the script send data back directly to your Cyber Triage server. This gets you data the most quickly and it avoids you from having to guess when the collection is done.
If you can’t send it directly to your server, then you should configure it to upload to S3 or Azure.
17.3.3.2. Uploading the Powershell Script to Live Response Library¶
You can upload your Deployer script to your Defender console so that it can be more easily pushed out to endpoints. Before uploading the script, ensure you’ve edited it based on:
How the Collector will get onto the host
What data will be collected
Where data will be sent
As a reminder, you can run the Powershell script locally to make sure it works.
Nothing in the upload process is unique to Cyber Triage, but we will outline the basic Defender ideas here:
You need to create a random Live Response session in order to upload a file. So, pick a known device and follow the steps as outlined above (Starting a Live Response Session).
Choose “Upload file to Library” in the upper right.
A dialog will prompt you to pick the Deployer script to upload. Choose to overwrite it if you already uploaded a version.
17.3.4. Initiate a Live Response-based Collection¶
Once the Deployer script has been uploaded to the library, you can use it in later Live Response sessions.
Start a Live Response Session as outlined above (Starting a Live Response Session).
Type in ‘run deploy_cyber_triage_collector.ps1’. If you wanted to specify arguments for the download locations, you’ll need to pass them in with the parameters argument:
-Parameters "-collector_download URL_HERE"
.Because Defender will exit after 30 minutes of no activity, the collector will run as a background process. The script will show you the process ID and then wait a bit to make sure everything is OK. All output is saved to a text file.
If you configured the Deployer script to save data to a file, then you need to copy it off the endpoint when it is done. You can do this with the ‘getfile’ command (you may need to create a new Live Response session if the initial one timed out).
The default location to save the data to is C:\windows\temp\file.json.gz. Note that Defender has a maximum file size of 3GB to transfer.
17.3.5. Troubleshooting¶
Here are some quick references for the Live Response Defender commands <https://learn.microsoft.com/en-us/defender-endpoint/live-response-command-examples>_ that could be useful:
If you are writing to a file or uploading to S3, you can check if the Collector is running or done by checking the output. It will stop growing when it is done.
dir c:\windows\temp\file.json.gz
You can check if the process is still running by getting the process ID when it launches and then using the ‘processes’ command.
processes -pid <PID>