Deep Dive: Forensics via MDATP Live Response

Image by Stux from Pixabay

After you found a threat on a certain PC, you usually need to dig deeper. The MDATP timeline gives you valuable information about what happened before, during and after an attack. In addition, you can request an investigation package from the machine which gives you even more information like SMB Sessions, Security Event log, Prefetch files etc.

However, at the end – each summary is just a summary and by its nature, it does not contain everything you might need to solve THAT case.

With ‘Live Response’, MDATP gives you instantaneous access to the client through a console.

Live Response just got backported to Windows 10 1709 and later!

My MVP friend Alex Verboon, gives you a great overview on how to get started with MDATP Live Response.

Digging Deeper: Copying Locked Files

A real-world example for Live Response would be to get the ‘Browser Cache’ from a PC. Why would you need this? Well, first MDATP does not give you deep links of URLs, a client connected to, IF this is a https site. It will just tell you, the user X went to “https://bla.bla.com” and not that she actually went to “https://bla.bla.com/whatever/bad.js”.

In case of Internet Explorer, this cache is resided in:

“C:\Users\username\AppData\Local\Microsoft\Windows\WebCache”

The most important file here is the “WebCacheV01.dat” database. The problem here is that this database is locked, and you cannot easily kill this process:

So, what’s next? Well, we could do a shadow copy of this file with that tool:

https://github.com/candera/shadowspawn

ShadowSpawn is doing exactly that and by specifying robocopy as a parameter of ShadowSpawn, you can just copy it to the place you like on the target machine:

ShadowSpawn.exe MyFiles Q: robocopy Q:\ “c:\MdatpForensics\MyFiles” /s

Digging Deeper: Recovering Deleted Files

In case you face an advanced attack, it is not unlikely, the adversary tries to erase all traces of what he did – including: deleting all files he dropped to the target machine (if any).

A cool PowerShell module to recover deleted files (an a lot more) is ‘PowerForensics’. Paula gives you an introduction into how to use it in this Video.

To use the module, you simply install it from the PowerShell Gallery by:

Install-Module PowerForensics

Sounds great, no? Well, here is what Live Response says:

This is a strange error, because, when you upload an arbitrary .exe to the client, you will be able to execute it from a PowerShell.

Having that in mind, I tried to create two PowerShell scripts, one that loads the PowerForensics module – I put that one on the target machine. And another PowerShell script, that simply calls the first PowerShell.

With that I was able to work with PowerForensics.

For this, you need to know that when you upload any file to the target machine (by: ‘put filename’ – file has to exist in the library before), it will be available in:

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads

So, my second PowerShell script just does this:

&PowerShell.exe -file “C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\get-MdatpForensics.ps1”

Conclusion

From my perspective, these are two very interesting use cases for forensic tasks. There are more, like creating a backup of the whole registry and exporting the ‘hosts’ file.

I put all of this together into this script: get-MdatpForensics.ps1

It gathers all of the information I mentioned in this post and zips it at the end, so that you can easily download it from the target machine.

Have fun!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.