Microsoft 365 Security: Kernel Level Access with Live Response

There are times when security is annoying. As an example, when the Administrator account or even the SYSTEM account cannot access a file due to restrictions against accessing volume artifacts.

Screenshot

For more about that command, check out this post.

Microsoft Defender Live Response can access what other methods can’t

liveResponseCommands = {}
liveResponseCommands['Commands'] = []
command = addCmdToCommandList("fsutil file queryextents \$LogFile")
liveResponseCommands['Commands'].append(command)
# ALL LIVE RESPONSE REQUESTS MUST HAVE A COMMENT
liveResponseCommands['Comment'] = "Looking at the LogFile clusters"

machineID  = "c6993a6c004946bf52d2d59237c18e6db4db7e5e"
cmdRequest = MDErequest("machines/%s/runliveresponse" % (machineID),liveResponseCommands)
cmdStatus = MDErequest("machineactions/%s" % (cmdRequest['id']))
cmdStatus

{'@odata.context': 'https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity',
 'id': '440d4647-77ab-44d4-8039-1d1a566ddc51',
 'type': 'LiveResponse',
 'title': None,
 'requestor': 'JonathanGlass@HalfFullofSecurity.onmicrosoft.com',
 'requestorComment': 'Looking at the LogFile clusters',
 'status': 'Succeeded',
 'machineId': 'c6993a6c004946bf52d2d59237c18e6db4db7e5e',
 'computerDnsName': 'desktop-l3mnbj9',
 'creationDateTimeUtc': '2022-03-15T00:08:46.0251352Z',
 'lastUpdateDateTimeUtc': '2022-03-15T00:09:40.247371Z',
 'cancellationRequestor': None,
 'cancellationComment': None,
 'cancellationDateTimeUtc': None,
 'errorHResult': 0,
 'scope': None,
 'externalId': None,
 'requestSource': 'PublicApi',
 'relatedFileInfo': None,
 'commands': [{'index': 0,
   'startTime': '2022-03-15T00:09:33.187Z',
   'endTime': '2022-03-15T00:09:36.83Z',
   'commandStatus': 'Completed',
   'errors': [],
   'command': {'type': 'RunScript',
    'params': [{'key': 'ScriptName', 'value': 'cmd.ps1'},
     {'key': 'Args', 'value': 'fsutil file queryextents \\$LogFile'}]}}],
 'troubleshootInfo': None}

How to Print the STDOUT of a Command Run from Live Response

liveResponseResult = MDErequest("machineactions/%s/GetLiveResponseResultDownloadLink(index=0)" % (cmdStatus['id']))
response = requests.get(liveResponseResult['value'])
data = response.content.decode('utf8')
print(json.loads(data)['script_output'])

Transcript started, output file is C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{03C57FC2-BA2C-4112-BC38-B9DD9EBE6A71}.txt
VCN: 0x0        Clusters: 0x1        LCN: 0x2c
VCN: 0x1        Clusters: 0x1        LCN: 0x500e29

Boom. Live Response’s access to the kernel allows for access that is unavailable at the command line.