HackMD - Collaborative Markdown Knowledge Base

# MDE https://security.microsoft.com/ ### Setup #### MDE: Setting -> Endpoints -> Live Response -> Live Response for Servers ->Live Response && Live Response unsigned script execution #### AD >Required API permissions (APIs my organization uses) >- Machine.LiveResponse >- Machine.Read.All >- Machine.ReadWrite.All+ Required ### 1. Script Upload to Library (Assets -> Devices -> Initiate Live Response Session) On Device -> Liveresponse -> Upload to Library ### 2. Run Live Response https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/run-live-response?view=o365-worldwide ##### Get Bearer Token ```bash curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<YourClientId>&client_secret=<YourClientSecret>&resource=https://api.securitycenter.windows.com" https://login.microsoftonline.com/<YourTenantId>/oauth2/token ``` ##### Dev Bearer ```bash curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=91a65ee5-c84f-42a2-801e-ad81c5ef3d07&client_secret=aAh8Q~eFfpsFvs-AkkkIwGRatYg7ZldZ7Z~~Ka9j&resource=https://api.securitycenter.windows.com" https://login.microsoftonline.com/b88b7a3c-9660-46a1-8c70-8b31b06ff5be/oauth2/token ``` ### 3. Run Script [POST] *Param: `{machine_id}` Bearer: token ```HTTP POST https://api-eu.securitycenter.microsoft.com/API/machines/{machine_id}/runliveresponse ``` ```json { "Commands":[ { "type":"RunScript", "params":[ { "key":"ScriptName", "value":"dom.ps1" } ] } ], "Comment":"Run domoaner script" } ``` *Response - on Result:* --> id=run_id ``` json { "@odata.context": "https://api-eu.securitycenter.windows.com/api/$metadata#MachineActions/$entity", "id": "a4b3dec9-104f-47c7-80c9-1cde07649847", "type": "LiveResponse", "title": null, "requestor": "admin@herti2.onmicrosoft.com", "requestorComment": "Run domoaner script", "status": "Pending", "machineId": "b68a86bbb64e1e587aadc748db802f0fc0b266fd", "computerDnsName": "desktop-5jhpo93", "creationDateTimeUtc": "2023-12-21T15:08:59.7057971Z", "lastUpdateDateTimeUtc": "2023-12-21T15:08:59.7057974Z", "cancellationRequestor": null, "cancellationComment": null, "cancellationDateTimeUtc": null, "errorHResult": 0, "scope": null, "externalId": null, "requestSource": "Portal", "relatedFileInfo": null, "commands": [], "troubleshootInfo": null } ``` *not finished:* --> message (Pending) ```JSON { "error": { "code": "InvalidInput", "message": "Machine action 538c213b-deba-4d0c-8945-6e3a536980e7 is not completed. status: Pending", "target": "|7e918f2e-4623826013b0db95." } } ``` ### 4. Get Result [GET] [ms doku](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/get-live-response-result?view=o365-worldwide) *Param: `{run_id}` Bearer: token ```HTTP GET https://api.securitycenter.microsoft.com/api/machineactions/{{run_id}}/GetLiveResponseResultDownloadLink(index=0) ``` *Response:* --> value ``` json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "https://automatedirstrprdweu3.blob.core.windows.net/investigation-actions-data/51c9be12-f0d5-4997-975a-dfce46da4698/CustomPlaybookCommandOutput/61f2e20c70c602da9af485ca66bb99c9?se=2024-02-13T08%3A36%3A17Z&sp=r&sv=2021-08-06&sr=b&rscd=attachment%3B%20filename%3Doutput_66f89fce-183d-4cd7-9575-e539795dbd27_0.json&skoid=aab208ab-9332-40e0-a440-23bd7cf5849c&sktid=124edf19-b350-4797-aefc-3206115ffdb3&skt=2024-02-13T07%3A51%3A17Z&ske=2024-02-13T08%3A36%3A17Z&sks=b&skv=2021-08-06&sig=ElRK3zxMxjQpW56tSR%2BcZqiDtVcLuHQh6n3XKYTe4Jo%3D" } ``` ### 5. Get Result [GET] *Param: `{value}` NoAuth ```HTTP GET {{Value}} ``` *Response:* --> script_output ```JSON { "script_name": "minidump.ps1", "exit_code": 0, "script_output": "Transcript started, output file is C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{TRANSCRIPT_ID}.txt C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip\n51 MB\n\u0000\u0000\u0000", "script_errors":"" } ``` ### 6. Get File [POST] *Param: {{machine_id}} Bearer: token ```HTTP GET https://api-eu.securitycenter.microsoft.com/API/machines/{{machine_id}}/runliveresponse ``` ```JSON { "Commands":[ { "type":"GetFile", "params":[ { "key":"Path", "value":"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\\PSScriptOutputs\testOutput.txt" } ] } ], "Comment":"Testing Live Response API" } ``` > Better way to get the status: > >> `GET https://api-eu.securitycenter.microsoft.com/api/machineactions/{{run_id}}` >> "status": "Pending", ---- ## Test Examples #### Run Script ```url https://api-eu.securitycenter.windows.com/api/machines/b68a86bbb64e1e587aadc748db802f0fc0b266fd/runliveresponse ``` ```json { "Commands":[ { "type":"RunScript", "params":[ { "key":"ScriptName", "value":"dom.ps1" } ] } ], "Comment":"Run domoaner script" } ``` #### Run and get File ```json { "Commands":[ { "type":"RunScript", "params":[ { "key":"ScriptName", "value":"dom.ps1" } ] } ], "Comment":"Run domoaner script" } ``` [live Reposone Commands](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response-command-examples?view=o365-worldwide) --- ### API Info https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/machineaction?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/run-live-response?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response-command-examples?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide