Deep Dive: Forensics via MDATP Live Response
After you found a threat on a certain PC, you usually need to dig deeper. The MDATP timeline gives you valuable information about what happened before, during and after an attack. In addition, you can request an investigation package from the machine which gives you even more information like SMB Sessions, Security Event log, Prefetch files etc.
However, at the end – each summary is just a summary and by its nature, it does not contain everything you might need to solve THAT case.
With ‘Live Response’, MDATP gives you instantaneous access to the client through a console.
Live Response just got backported to Windows 10 1709 and later!
My MVP friend Alex Verboon, gives you a great overview on how to get started with MDATP Live Response.
Digging Deeper: Copying Locked Files
A real-world example for Live Response would be to get the ‘Browser Cache’ from a PC. Why would you need this? Well, first MDATP does not give you deep links of URLs, a client connected to, IF this is a https site. It will just tell you, the user X went to “https://bla.bla.com” and not that she actually went to “https://bla.bla.com/whatever/bad.js”.
In case of Internet Explorer, this cache is resided in:
The most important file here is the “WebCacheV01.dat” database. The problem here is that this database is locked, and you cannot easily kill this process:
So, what’s next? Well, we could do a shadow copy of this file with that tool:
ShadowSpawn is doing exactly that and by specifying robocopy as a parameter of ShadowSpawn, you can just copy it to the place you like on the target machine:
ShadowSpawn.exe MyFiles Q: robocopy Q:\ “c:\MdatpForensics\MyFiles” /s
Digging Deeper: Recovering Deleted Files
In case you face an advanced attack, it is not unlikely, the adversary tries to erase all traces of what he did – including: deleting all files he dropped to the target machine (if any).
To use the module, you simply install it from the PowerShell Gallery by:
Sounds great, no? Well, here is what Live Response says:
This is a strange error, because, when you upload an arbitrary .exe to the client, you will be able to execute it from a PowerShell.
Having that in mind, I tried to create two PowerShell scripts, one that loads the PowerForensics module – I put that one on the target machine. And another PowerShell script, that simply calls the first PowerShell.
With that I was able to work with PowerForensics.
For this, you need to know that when you upload any file to the target machine (by: ‘put filename’ – file has to exist in the library before), it will be available in:
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads
So, my second PowerShell script just does this:
&PowerShell.exe -file “C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\get-MdatpForensics.ps1”
From my perspective, these are two very interesting use cases for forensic tasks. There are more, like creating a backup of the whole registry and exporting the ‘hosts’ file.
I put all of this together into this script: get-MdatpForensics.ps1
It gathers all of the information I mentioned in this post and zips it at the end, so that you can easily download it from the target machine.