使用即時回應調查裝置上的實體Investigate entities on devices using live response

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

Live response 讓安全性運作小組能夠暫態存取裝置 (也稱為) 使用遠端命令介面連線的電腦。Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. 這可讓您在深入調查工作中做為您的力量,並立即採取回應動作,及時包含已識別的威脅(即時)。This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.

Live response 的設計目的是讓您的安全性作業小組收集法律資料、執行腳本、傳送可疑實體以進行分析、修正威脅,以及主動搜尋新興威脅,以加強調查。Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

使用 live response 時,分析員可以執行下列所有工作:With live response, analysts can do all of the following tasks:

  • 執行基本和高級命令,在裝置上執行調查工作。Run basic and advanced commands to do investigative work on a device.
  • 下載檔案,例如惡意程式碼範例和 PowerShell 腳本的結果。Download files such as malware samples and outcomes of PowerShell scripts.
  • 在背景 (new! ) 中下載檔案。Download files in the background (new!).
  • Upload PowerShell 腳本或可執行檔至文件庫,並在租使用者層級上的裝置上執行該腳本。Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
  • 採取或撤銷修正動作。Take or undo remediation actions.

開始之前Before you begin

在裝置上啟動會話之前,請先確定您符合下列需求:Before you can initiate a session on a device, make sure you fulfill the following requirements:

  • 請確認您執行的是支援的 Windows 版本Verify that you're running a supported version of Windows.
    裝置必須執行下列其中一個 Windows 版本Devices must be running one of the following versions of Windows

  • 從 [高級設定] 頁面啟用即時回應Enable live response from the advanced settings page.
    您必須啟用 [ 高級功能設定 ] 頁面中的 [即時回應] 功能。You'll need to enable the live response capability in the Advanced features settings page.

    注意

    只有具有「管理安全性」或「全域系統管理員」角色的使用者可以編輯這些設定。Only users with manage security or global admin roles can edit these settings.

  • 從 [高級設定] 頁面啟用伺服器的即時回應 (建議) 。Enable live response for servers from the advanced settings page (recommended).

    注意

    只有具有「管理安全性」或「全域系統管理員」角色的使用者可以編輯這些設定。Only users with manage security or global admin roles can edit these settings.

  • 確定裝置具有指派的「自動化修正」層級Ensure that the device has an Automation Remediation level assigned to it.
    您必須至少啟用特定裝置群組的最低修正層級。You'll need to enable, at least, the minimum Remediation Level for a given Device Group. 否則,您將無法為該群組的成員建立即時回應會話。Otherwise you won't be able to establish a Live Response session to a member of that group.

    您會收到下列錯誤:You'll receive the following error:

    錯誤訊息影像

  • 啟用 live response 未簽署的腳本執行 (選用) 。Enable live response unsigned script execution (optional).

    警告

    允許使用未簽署的腳本可能會增加威脅的暴露程度。Allowing the use of unsigned scripts may increase your exposure to threats.

    不建議執行未簽署的腳本,因為這樣可增加您對威脅的暴露程度。Running unsigned scripts is not recommended as it can increase your exposure to threats. 如果您必須使用它們,但是您必須啟用 [ 高級功能設定 ] 頁面中的設定。If you must use them however, you'll need to enable the setting in the Advanced features settings page.

  • 確定您具有適當的許可權Ensure that you have the appropriate permissions.
    只有已使用適當許可權布建的使用者才能啟動會話。Only users who have been provisioned with the appropriate permissions can initiate a session. 如需角色指派的詳細資訊,請參閱 建立與管理角色For more information on role assignments, see Create and manage roles.

    重要

    將檔案上傳至文件庫的選項只適用于具有適當 RBAC 許可權的選項。The option to upload a file to the library is only available to those with the appropriate RBAC permissions. 只有委派許可權的使用者,此按鈕才會顯示為灰色。The button is greyed out for users with only delegated permissions.

    您可以執行基本或高級 live 回應命令,視授與您的角色而定。Depending on the role that's been granted to you, you can run basic or advanced live response commands. 使用者許可權是由 RBAC 自訂角色所控制。Users permissions are controlled by RBAC custom role.

Live response 儀表板一覽Live response dashboard overview

當您在裝置上啟動即時回應會話時,儀表板會開啟。When you initiate a live response session on a device, a dashboard opens. 儀表板提供會話的相關資訊,如下所示:The dashboard provides information about the session such as the following:

  • 神秘建立會話Who created the session
  • 啟動會話時When the session started
  • 會話的持續時間The duration of the session

儀表板也可讓您存取:The dashboard also gives you access to:

  • 中斷連線會話Disconnect session
  • Upload 檔案至文件庫Upload files to the library
  • 命令主控台Command console
  • 命令記錄檔Command log

在裝置上啟動即時回應會話Initiate a live response session on a device

  1. 登入 Microsoft Defender 資訊安全中心。Sign in to Microsoft Defender Security Center.

  2. 流覽至 [裝置] 清單頁面,然後選取要調查的裝置。Navigate to the devices list page and select a device to investigate. 隨即會開啟 [裝置] 頁面。The devices page opens.

  3. 選取 [ 啟動即時回應會話],以啟動即時回應會話。Launch the live response session by selecting Initiate live response session. 隨即會顯示命令主控台。A command console is displayed. 在會話連接至裝置時等候。Wait while the session connects to the device.

  4. 使用內建的命令執行調查工作。Use the built-in commands to do investigative work. 如需詳細資訊,請參閱 Live response 命令For more information, see Live response commands.

  5. 完成調查後,請選取 [中斷連線會話],然後選取 [ 確認]。After completing your investigation, select Disconnect session, then select Confirm.

即時回應命令Live response commands

您可以執行基本或高級 live 回應命令,視授與您的角色而定。Depending on the role that's been granted to you, you can run basic or advanced live response commands. 使用者權限是由 RBAC 自訂角色所控制。User permissions are controlled by RBAC custom roles. 如需角色指派的詳細資訊,請參閱 建立與管理角色For more information on role assignments, see Create and manage roles.

注意

Live response 是雲端型互動命令介面,如此一來,特定的命令體驗可能會因回應時間而異,取決於使用者與目標裝置之間的網路品質和系統負載。Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.

基本命令Basic commands

下列命令適用于授與執行 基本 live 回應命令之功能的使用者角色。The following commands are available for user roles that are granted the ability to run basic live response commands. 如需角色指派的詳細資訊,請參閱 建立與管理角色For more information on role assignments, see Create and manage roles.

命令Command 描述Description
cd 變更目前的目錄。Changes the current directory.
cls 清除主控台畫面。Clears the console screen.
connect 啟動裝置的即時回應會話。Initiates a live response session to the device.
connections 顯示所有使用中的連線。Shows all the active connections.
dir 顯示目錄中的檔案及子目錄清單。Shows a list of files and subdirectories in a directory.
drivers 顯示裝置上安裝的所有驅動程式。Shows all drivers installed on the device.
fg <command ID> 將指定的工作置於前臺,使其成為目前工作。Place the specified job in the foreground in the foreground, making it the current job.
附注: fg 採用工作中提供的「命令識別碼」,而不是 PIDNOTE: fg takes a “command ID” available from jobs, not a PID
fileinfo 取得檔案的相關資訊。Get information about a file.
findfile 以指定的名稱在裝置上尋找檔案。Locates files by a given name on the device.
getfile <file_path> 下載檔案。Downloads a file.
help 提供即時回應命令的説明資訊。Provides help information for live response commands.
jobs 顯示目前執行中的工作、其識別碼和狀態。Shows currently running jobs, their ID and status.
persistence 顯示裝置上所有已知的持久性方法。Shows all known persistence methods on the device.
processes 顯示裝置上執行的所有進程。Shows all processes running on the device.
registry 顯示登錄值。Shows registry values.
scheduledtasks 顯示裝置上的所有排程任務。Shows all scheduled tasks on the device.
services 顯示裝置上的所有服務。Shows all services on the device.
trace 設定終端的記錄模式進行調試。Sets the terminal's logging mode to debug.

Advanced 命令Advanced commands

下列命令適用于授與執行「 高級 即時回應」命令功能的使用者角色。The following commands are available for user roles that are granted the ability to run advanced live response commands. 如需角色指派的詳細資訊,請參閱 建立與管理角色For more information on role assignments, see Create and manage roles.

命令Command 描述Description
analyze 分析具有各種 incrimination 引擎的實體,以達到判定。Analyses the entity with various incrimination engines to reach a verdict.
run 從裝置上的文件庫執行 PowerShell 腳本。Runs a PowerShell script from the library on the device.
library 列出已上傳至 live response library 的檔案。Lists files that were uploaded to the live response library.
putfile 將檔案從文件庫放入裝置。Puts a file from the library to the device. 檔案儲存在工作資料夾中,而且會在預設重新開機裝置時刪除。Files are saved in a working folder and are deleted when the device restarts by default.
remediate 在裝置上 Remediates 實體。Remediates an entity on the device. 修正動作會因實體類型而異:The remediation action will vary depending on the entity type:
-File: delete- File: delete
-進程:停止、刪除影像檔- Process: stop, delete image file
-服務:停止、刪除映射檔- Service: stop, delete image file
-登錄專案:刪除- Registry entry: delete
-排程任務:移除- Scheduled task: remove
-Startup 資料夾專案:刪除檔案- Startup folder item: delete file
注意:此命令具有必要條件命令。NOTE: This command has a prerequisite command. 您可以搭配使用此 -auto 命令 remediate ,以自動執行必要條件命令。You can use the -auto command in conjunction with remediate to automatically run the prerequisite command.
undo 還原已修正的實體。Restores an entity that was remediated.

使用即時回應命令Use live response commands

您可以在主控台中使用的命令遵循與Windows 命令類似的原則。The commands that you can use in the console follow similar principles as Windows Commands.

Advanced 命令提供一組更為強大的動作,可讓您採取更強大的動作,例如下載和上傳檔案、在裝置上執行腳本,以及對實體採取修正動作。The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.

從裝置取得檔案Get a file from the device

例如,如果您想要從您正在調查的裝置取得檔案,您可以使用此 getfile 命令。For scenarios when you'd like get a file from a device you're investigating, you can use the getfile command. 這可讓您儲存裝置中的檔案進行進一步調查。This allows you to save the file from the device for further investigation.

注意

適用下列檔案大小限制:The following file size limits apply:

  • getfile 限制: 3 GBgetfile limit: 3 GB
  • fileinfo 限制: 10 GBfileinfo limit: 10 GB
  • library 限制: 250 MBlibrary limit: 250 MB

下載背景中的檔案Download a file in the background

若要讓您的安全性運作小組繼續調查受影響的裝置,現在可以在後臺下載檔案。To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.

  • 若要在後臺下載檔案,請在 live response 命令主控台中輸入 download <file_path> &To download a file in the background, in the live response command console, type download <file_path> &.
  • 如果您正在等候下載檔案,您可以使用 Ctrl+Z 將檔案移至背景。If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.
  • 若要將檔案下載移至前臺,請在 live response 命令主控台中輸入 fg <command_id>To bring a file download to the foreground, in the live response command console, type fg <command_id>.

範例如下:Here are some examples:

命令Command 功能What it does
getfile "C:\windows\some_file.exe" & 開始在背景中下載名為 some_file.exe 的檔案。Starts downloading a file named some_file.exe in the background.
fg 1234 會傳回具有命令識別碼 1234 至前景的下載。Returns a download with command ID 1234 to the foreground.

將檔案放入文件庫中Put a file in the library

Live response 具有可讓您存放盤案的文件庫。Live response has a library where you can put files into. 文件庫儲存 (例如腳本) ,可在租使用者層級的即時回應會話中執行。The library stores files (such as scripts) that can be run in a live response session at the tenant level.

Live response 允許執行 PowerShell 腳本,但是您必須先將檔案放入文件庫中,才可執行這些檔案。Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.

您可以在用來啟動 live 回應會話的裝置上,使用可在其上執行的 PowerShell 腳本集合。You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.

上傳文件庫中的檔案To upload a file in the library

  1. 按一下 [ Upload 檔案至文件庫]。Click Upload file to library.

  2. 按一下 [流覽] 並選取檔案。Click Browse and select the file.

  3. 提供簡短的描述。Provide a brief description.

  4. 指定您是否要覆寫具有相同名稱的檔案。Specify if you'd like to overwrite a file with the same name.

  5. 如果您想要的話,請知道腳本所需的參數,然後選取 [腳本參數] 核取方塊。If you'd like to be, know what parameters are needed for the script, select the script parameters check box. 在 [文字] 欄位中,輸入範例和描述。In the text field, enter an example and a description.

  6. 按一下 [ 確認]。Click Confirm.

  7. (選用) 若要確認已將檔案上傳至文件庫,請執行 library 命令。(Optional) To verify that the file was uploaded to the library, run the library command.

取消命令Cancel a command

在會話期間,您可以隨時按 CTRL+C 取消命令。Anytime during a session, you can cancel a command by pressing CTRL + C.

警告

使用此快捷方式不會停止代理端中的命令。Using this shortcut will not stop the command in the agent side. 它只會取消入口網站中的命令。It will only cancel the command in the portal. 這樣一來,在取消變更時,"修正" 作業可能會繼續進行。So, changing operations such as "remediate" may continue, while the command is canceled.

執行 PowerShell 腳本Run a PowerShell script

在您可以執行 PowerShell 腳本之前,您必須先將其上傳至文件庫。Before you can run a PowerShell script, you must first upload it to the library.

將腳本上傳至文件庫之後,請使用 run 命令來執行腳本。After uploading the script to the library, use the run command to run the script.

如果您想要在會話中使用未簽署的腳本,您必須啟用 [ 高級功能設定 ] 頁面中的設定。If you plan to use an unsigned script in the session, you'll need to enable the setting in the Advanced features settings page.

警告

允許使用未簽署的腳本可能會增加威脅的暴露程度。Allowing the use of unsigned scripts may increase your exposure to threats.

套用命令參數Apply command parameters

  • 若要瞭解命令參數的資訊,請參閱主控台説明。View the console help to learn about command parameters. 若要瞭解個別命令,請執行:To learn about an individual command, run:

    help <command name>

  • 對命令套用參數時,請注意,參數的處理方式取決於固定順序:When applying parameters to commands, note that parameters are handled based on a fixed order:

    <command name> param1 param2

  • 指定固定順序以外的參數時,在提供值之前,請使用連字號指定參數的名稱:When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:

    <command name> -param2_name param2

  • 使用具有必要條件命令的命令時,您可以使用旗標:When using commands that have prerequisite commands, you can use flags:

    <command name> -type file -id <file path> - auto or remediate file <file path> - auto<command name> -type file -id <file path> - auto or remediate file <file path> - auto.

支援的輸出類型Supported output types

Live response 支援表格和 JSON 格式的輸出類型。Live response supports table and JSON format output types. 針對每個命令,都有預設的輸出行為。For each command, there's a default output behavior. 您可以使用下列命令,修改您偏好輸出格式的輸出:You can modify the output in your preferred output format using the following commands:

  • -output json
  • -output table

注意

因為空間有限,所以表格格式會顯示較少的欄位。Fewer fields are shown in table format due to the limited space. 若要查看輸出中的更多詳細資料,您可以使用 JSON 輸出命令,以顯示更多詳細資料。To see more details in the output, you can use the JSON output command so that more details are shown.

支援的輸出管道Supported output pipes

Live response 支援將輸出管道傳送至 CLI 和檔案。Live response supports output piping to CLI and file. CLI 是預設的輸出行為。CLI is the default output behavior. 您可以使用下列命令,將輸出輸送至檔案: [命令] > [filename] .txt。You can pipe the output to a file using the following command: [command] > [filename].txt.

範例:Example:

processes > output.txt

查看命令記錄檔View the command log

選取 [ 命令記錄 ] 索引標籤,以查看在會話期間用於裝置的命令。Select the Command log tab to see the commands used on the device during a session. 每個命令都會以完整的詳細資料來追蹤:Each command is tracked with full details such as:

  • IDID
  • 命令列Command line
  • 持續時間Duration
  • 狀態和輸入或輸出側條Status and input or output side bar

限制Limitations

  • Live 回應會話一次僅限25個即時回應會話。Live response sessions are limited to 25 live response sessions at a time.
  • Live response session 非使用中超時值為30分鐘。Live response session inactive timeout value is 30 minutes.
  • 使用者最多可以啟動10個同時會話。A user can initiate up to 10 concurrent sessions.
  • 一個裝置一次只能在一個會話中。A device can only be in one session at a time.
  • 適用下列檔案大小限制:The following file size limits apply:
    • getfile 限制: 3 GBgetfile limit: 3 GB
    • fileinfo 限制: 10 GBfileinfo limit: 10 GB
    • library 限制: 250 MBlibrary limit: 250 MB

相關文章Related article