在设备上执行响应操作Take response actions on a device

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

通过隔离设备或收集调查包来快速响应检测到的攻击。Quickly respond to detected attacks by isolating devices or collecting an investigation package. 在设备上采取操作后,可以在操作中心查看活动详细信息。After taking action on devices, you can check activity details on the Action center.

响应操作沿着特定设备页面的顶部运行,包括:Response actions run along the top of a specific device page and include:

  • 管理标签Manage tags
  • 启动自动调查Initiate Automated Investigation
  • 启动实时响应会话Initiate Live Response Session
  • 收集调查程序包Collect investigation package
  • 运行防病毒扫描Run antivirus scan
  • 限制应用执行Restrict app execution
  • 隔离设备Isolate device
  • 咨询威胁专家Consult a threat expert
  • 操作中心Action center

响应操作的图像 Image of response actions

可以从以下任一视图查找设备页面:You can find device pages from any of the following views:

  • 安全操作仪表板 - 从"处于风险的设备"卡中选择设备名称。Security operations dashboard - Select a device name from the Devices at risk card.
  • 警报队列 - 从警报队列中选择设备图标旁边的设备名称。Alerts queue - Select the device name beside the device icon from the alerts queue.
  • 设备列表 - 从设备列表中选择设备名称的标题。Devices list - Select the heading of the device name from the devices list.
  • 搜索框 - 从下拉菜单中选择设备,然后输入设备名称。Search box - Select Device from the drop-down menu and enter the device name.

重要

  • 这些响应操作仅适用于 Windows 10 版本 1703 或更高版本上的设备。These response actions are only available for devices on Windows 10, version 1703 or later.
  • 对于非 Windows 平台,响应 (设备隔离) 依赖于第三方功能。For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities.

管理标签Manage tags

添加或管理标记以创建逻辑组附属关系。Add or manage tags to create a logical group affiliation. 设备标记支持网络的正确映射,使您能够附加不同的标记以捕获上下文,并启用动态列表创建作为事件的一部分。Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.

有关设备标记详细信息,请参阅创建 和管理设备标记For more information on device tagging, see Create and manage device tags.

启动自动调查Initiate Automated Investigation

如果需要,可以在设备上启动新的通用自动调查。You can start a new general purpose automated investigation on the device if needed. 当调查正在运行时,从设备生成的其他任何警报都将添加到正在进行的自动调查,直到完成该调查。While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. 此外,如果在其他设备上看到相同的威胁,则这些设备将添加到调查。In addition, if the same threat is seen on other devices, those devices are added to the investigation.

有关自动调查详细信息,请参阅 自动调查概述For more information on automated investigations, see Overview of Automated investigations.

启动实时响应会话Initiate Live Response Session

实时响应是一项功能,可让你使用远程 shell 连接即时访问设备。Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. 这让你能够执行深入调查工作,并立即采取响应操作,以立即包含识别的威胁— 实时。This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.

实时响应旨在通过让你能够收集取证数据、运行脚本、发送可疑实体进行分析、修正威胁和主动搜寻新出现的威胁来增强调查。Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

有关实时响应详细信息,请参阅使用实时响应调查 设备上的实体For more information on live response, see Investigate entities on devices using live response.

从设备收集调查包Collect investigation package from devices

作为调查或响应过程的一部分,你可以从设备收集调查包。As part of the investigation or response process, you can collect an investigation package from a device. 通过收集调查包,你可以确定设备的当前状态,并进一步理解攻击者使用的工具和技术。By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.

下载 Zip (包) 并调查设备上发生的事件To download the package (Zip file) and investigate the events that occurred on a device

  1. 设备页面 顶部的响应操作行中选择收集调查包。Select Collect investigation package from the row of response actions at the top of the device page.
  2. 在文本框中指定要执行此操作的原因。Specify in the text box why you want to perform this action. 选择“确认”。Select Confirm.
  3. zip 文件将下载The zip file will download

备用方法:Alternate way:

  1. 设备页面 的响应操作部分选择操作中心。Select Action center from the response actions section of the device page.

    操作中心按钮的图像

  2. 在操作中心飞出中,选择 可用于 下载 zip 文件的程序包集合包。In the Action center fly-out, select Package collection package available to download the zip file.

    下载程序包按钮的图像

程序包包含以下文件夹:The package contains the following folders:

FolderFolder 说明Description
自动运行Autoruns 包含一组文件,每个文件分别表示已知自动启动入口点 (ASEP) 的注册表内容,以帮助识别攻击者在设备上是否具有持久性。Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.
注意: 如果找不到注册表项,则文件将包含以下消息:"错误:系统无法找到指定的注册表项或值。"NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
已安装的程序Installed programs 此 。CSV 文件包含已安装的程序列表,可帮助确定设备上当前安装的内容。This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. 有关详细信息,请参阅Win32_Product For more information, see Win32_Product class.
网络连接Network connections 此文件夹包含一组与连接信息相关的数据点,可帮助识别与可疑 URL 的连接、攻击者的命令和控制 (C&C) 基础结构、任何横向移动或远程连接。This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.
- ActiveNetConnections.txt – 显示协议统计信息和当前的 TCP/IP 网络连接。- ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. 提供查找进程建立可疑连接的能力。Provides the ability to look for suspicious connectivity made by a process.

- Arp.txt – 在所有接口的缓存表中 (ARP) 当前地址解析协议。- Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

ARP 缓存可以显示网络上已受到威胁的其他主机或网络上可能用于运行内部攻击的可疑系统。ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.

- DnsCache.txt - 显示 DNS 客户端解析程序缓存的内容,其中包括从本地 Hosts 文件预加载的条目和计算机解析的名称查询的任何最近获取的资源记录。- DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. 这有助于识别可疑连接。This can help in identifying suspicious connections.

- IpConfig.txt – 显示所有适配器的完整 TCP/IP 配置。- IpConfig.txt – Displays the full TCP/IP configuration for all adapters. 适配器可以表示物理接口(如已安装的网络适配器)或逻辑接口(如拨号连接)。Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

- FirewallExecutionLog.txt和 pfirewall.log- FirewallExecutionLog.txt and pfirewall.log
预取文件Prefetch files Windows 预取文件旨在加快应用程序启动过程。Windows Prefetch files are designed to speed up the application startup process. 它可用于跟踪系统中最近使用的所有文件,并查找可能已删除但仍可在预取文件列表中找到的应用程序的跟踪。It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.
- 预取文件夹 – 包含 中的预取文件的副本 %SystemRoot%\Prefetch- Prefetch folder – Contains a copy of the prefetch files from %SystemRoot%\Prefetch. 注意:建议下载预取文件查看器以查看预取文件。NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – 包含所有复制文件的列表,这些文件可用于跟踪预取文件夹是否有复制失败。- PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
进程Processes 包含 。列出正在运行的过程的 CSV 文件,它提供识别设备上运行的当前进程的能力。Contains a .CSV file listing the running processes, which provides the ability to identify current processes running on the device. 在标识可疑进程及其状态时,这非常有用。This can be useful when identifying a suspicious process and its state.
计划任务Scheduled tasks 包含 。列出计划任务的 CSV 文件,可用于标识在所选设备上自动执行的例程,以查找已设置为自动运行的可疑代码。Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically.
安全事件日志Security event log 包含安全事件日志,其中包含登录或注销活动的记录,或者由系统的审核策略指定的其他与安全相关的事件。Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy.
注意: 使用事件查看器日志文件事件视图。NOTE: Open the event log file using Event viewer.
服务Services 包含 。列出服务及其状态的 CSV 文件。Contains a .CSV file that lists services and their states.
SMB 会话 (Windows Server) 块Windows Server Message Block (SMB) sessions 列出对文件、打印机和串行端口的共享访问,以及网络上节点之间的其他通信。Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. 这可以帮助识别数据外排或横向移动。This can help identify data exfiltration or lateral movement.
包含 SMBInboundSessions 和 SMBOutboundSession 的文件。Contains files for SMBInboundSessions and SMBOutboundSession.

注意: 如果入站或出站 (会话) ,您将获得一个文本文件,告知您未找到 SMB 会话。NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.
系统信息System Information 包含一SystemInformation.txt列出系统信息(如操作系统版本和网络卡)的文件。Contains a SystemInformation.txt file which lists system information such as OS version and network cards.
临时目录Temp Directories 包含一组文本文件,其中列出了系统中每个用户位于 %Temp% 中的文件。Contains a set of text files that lists the files located in %Temp% for every user in the system.
这可以帮助跟踪攻击者可能丢弃在系统上的可疑文件。This can help to track suspicious files that an attacker may have dropped on the system.

注意: 如果文件包含以下消息:"系统找不到指定的路径",这意味着此用户没有临时目录,可能是因为用户未登录到系统。NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
用户和组Users and Groups 提供每个表示一个组及其成员的文件的列表。Provides a list of files that each represent a group and its members.
WdSupportLogsWdSupportLogs 提供MpCmdRunLog.txt和MPSupportFiles.cabProvides the MpCmdRunLog.txt and MPSupportFiles.cab
注意: 此文件夹仅在安装了 2020 年 2 月更新汇总或更高版本的 Windows 10 版本 1709 或更高版本上创建:NOTE: This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed:
Win10 1709 (RS3) 内部版本 16299.1717 :KB4537816Win10 1709 (RS3) Build 16299.1717 : KB4537816
Win10 1803 (RS4) 内部版本 17134.1345:KB4537795 Win10 1803 (RS4) Build 17134.1345 : KB4537795
Win10 1809 (RS5) 内部版本 17763.1075 :KB4537818Win10 1809 (RS5) Build 17763.1075 : KB4537818
Win10 1903/1909 (19h1/19h2) 内部版本 18362.693 和 18363.693:KB4535996Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693 : KB4535996
CollectionSummaryReport.xlsCollectionSummaryReport.xls 此文件是调查包集合的摘要,它包含数据点列表、用于提取数据的命令、执行状态以及失败时的错误代码。This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. 可以使用此报告跟踪程序包是否包含所有预期数据,并确定是否有错误。You can use this report to track if the package includes all the expected data and identify if there were any errors.

在设备上运行 Microsoft Defender 防病毒扫描Run Microsoft Defender Antivirus scan on devices

作为调查或响应过程的一部分,你可以远程启动防病毒扫描,以帮助识别和修正可能存在于受到威胁的设备的恶意软件。As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.

重要

  • 此操作适用于 Windows 10 版本 1709 或更高版本上的设备。This action is available for devices on Windows 10, version 1709 or later.
  • Microsoft Defender 防病毒 (Microsoft Defender AV) 扫描可以与其他防病毒解决方案一起运行,无论 Microsoft Defender AV 是否是活动的防病毒解决方案。A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV 可以处于被动模式。Microsoft Defender AV can be in Passive mode. 有关详细信息,请参阅 Microsoft Defender 防病毒兼容性For more information, see Microsoft Defender Antivirus compatibility.

选择"运行 防病毒扫描"之一,选择要快速或完整 (运行扫描类型) 在确认扫描之前添加注释。One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.

用于选择快速扫描或完全扫描并添加注释的通知的图像

操作中心将显示扫描信息,设备时间线将包含一个新事件,反映扫描操作已提交到设备上。The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV 警报将反映扫描期间显示的任何检测。Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.

备注

使用 Defender for Endpoint 响应操作触发扫描时,Microsoft Defender 防病毒"ScanAvgCPULoadFactor"值仍然适用并限制扫描的 CPU 影响。When triggering a scan using Defender for Endpoint response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.
如果未配置 ScanAvgCPULoadFactor,则默认值为扫描期间最大 CPU 负载的 50% 的限制。If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
有关详细信息,请参阅 configure-advanced-scan-types-microsoft-defender-antivirusFor more information, see configure-advanced-scan-types-microsoft-defender-antivirus.

限制应用执行Restrict app execution

除了通过停止恶意进程来阻止攻击之外,还可以锁定设备并防止潜在恶意程序的后续尝试运行。In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.

重要

  • 此操作适用于 Windows 10 版本 1709 或更高版本上的设备。This action is available for devices on Windows 10, version 1709 or later.
  • 如果你的组织使用 Microsoft Defender 防病毒,则此功能可用。This feature is available if your organization uses Microsoft Defender Antivirus.
  • 此操作需要满足Windows Defender控制代码完整性策略格式和签名要求。This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. 有关详细信息,请参阅代码 完整性策略格式和签名For more information, see Code integrity policy formats and signing.

为了限制应用程序运行,应用了代码完整性策略,该策略只允许文件在由 Microsoft 颁发的证书签名时运行。To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. 这种限制方法有助于防止攻击者控制受到威胁的设备,并执行进一步恶意活动。This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.

备注

你将能够随时撤消对应用程序运行的限制。You’ll be able to reverse the restriction of applications from running at any time. 设备页面上的按钮将更改为"删除应用限制",然后执行与限制应用执行相同的步骤。The button on the device page will change to say Remove app restrictions, and then you take the same steps as restricting app execution.

在设备页面上选择 "限制 应用执行"后,键入注释并选择"确认 "。Once you have selected Restrict app execution on the device page, type a comment and select Confirm. 操作中心将显示扫描信息,设备时间线将包含新事件。The Action center will show the scan information and the device timeline will include a new event.

应用限制通知的图像

有关设备用户的通知Notification on device user:
当应用受限时,将显示以下通知,通知用户应用被限制运行:When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:

应用限制的图像

<a name="isolate-devices-from-the-network">将设备从网络隔中离出来Isolate devices from the network

根据攻击的严重性和设备敏感度,你可能希望将设备与网络隔离。Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. 此操作有助于防止攻击者控制受到威胁的设备,并执行进一步的活动,如数据泄漏和横向移动。This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.

重要

  • 完全隔离适用于 Windows 10 版本 1703 上的设备。Full isolation is available for devices on Windows 10, version 1703.
  • 选择性隔离适用于 Windows 10 版本 1709 或更高版本上的设备。Selective isolation is available for devices on Windows 10, version 1709 or later.

此设备隔离功能断开受损设备与网络的连接,同时保留与 Defender for Endpoint 服务的连接,该服务将继续监视设备。This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

在 Windows 10 版本 1709 或更高版本上,你将对网络隔离级别进行其他控制。On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. 还可以选择启用 Outlook、Microsoft Teams 和 Skype for Business ("选择性隔离") 。You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

备注

你将能够随时将设备重新连接到网络。You’ll be able to reconnect the device back to the network at any time. 设备页面上的按钮将更改为"从隔离中释放 ", 然后执行与隔离设备相同的步骤。The button on the device page will change to say Release from isolation, and then you take the same steps as isolating the device.

在设备页面上选择"隔离 设备"后,键入注释并选择"确认 "。Once you have selected Isolate device on the device page, type a comment and select Confirm. 操作中心将显示扫描信息,设备时间线将包含新事件。The Action center will show the scan information and the device timeline will include a new event.

隔离设备的图像

备注

设备将保持与 Defender for Endpoint 服务连接,即使它与网络隔离。The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. 如果你已选择启用 Outlook 和 Skype for Business 通信,则你将能够在设备隔离时与用户通信。If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.

有关设备用户的通知Notification on device user:
隔离设备时,将显示以下通知,通知用户设备正在与网络隔离:When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:

无网络连接的图像

咨询威胁专家Consult a threat expert

你可以咨询 Microsoft 威胁专家,了解有关可能受到威胁的设备或已受到威胁的设备的更多见解。You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft 威胁专家可以直接在 Microsoft Defender 安全中心内参与,及时准确地做出响应。Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. 专家不仅提供有关潜在威胁设备的见解,而且还可以更好地了解复杂的威胁、你收到的目标攻击通知,或者你需要有关警报或你在门户仪表板上看到的威胁情报上下文详细信息。Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.

有关详细信息 ,请参阅咨询 Microsoft 威胁 专家。See Consult a Microsoft Threat Expert for details.

在操作中心检查活动详细信息Check activity details in Action center

操作中心 提供有关对设备或文件采取的操作的信息。The Action center provides information on actions that were taken on a device or file. 你将能够查看以下详细信息:You’ll be able to view the following details:

  • 调查包集合Investigation package collection
  • 防病毒扫描Antivirus scan
  • 应用限制App restriction
  • 设备隔离Device isolation

还会显示所有其他相关详细信息,例如提交日期/时间、提交用户以及操作成功还是失败。All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.

包含信息的操作中心图像