Deep Dive into Live Response in Microsoft Defender XDR

Microsoft Defender XDR has evolved into a powerful, unified platform for detecting, investigating, and responding to modern cyber threats. One of the most critical capabilities it provides to security analysts is Live Response. This feature empowers defenders to establish a secure, interactive session with endpoints or servers under investigation, enabling immediate collection of forensic data and execution of remediation actions.

In this post, we’ll unpack how Live Response works, what it offers, and real-world examples of how it can be used in both endpoint and server scenarios.

 

What is Live Response?

Live Response is a feature in Microsoft Defender XDR that allows security analysts to remotely connect to a device and perform live forensics or containment actions. Think of it as having a secure command-line session directly into the endpoint, without requiring RDP, VPN, or other remote access tools that could themselves pose risks.

Once connected, analysts can:

 

• • Collect detailed forensic evidence (processes, registry keys, network connections, files, etc.)
  • Run built-in commands or custom PowerShell scripts
  • Investigate suspicious artifacts in real-time
  • Contain and remediate threats (e.g., deleting malicious files, stopping processes)

 

All of this happens in a tightly controlled environment, governed by role-based access control (RBAC) and audit logging, so every action is recorded for compliance and accountability.

 

How Live Response Works

When an incident is flagged in Microsoft Defender XDR:

 

1. 1. The analyst navigates to the device page in the portal.
   2. From there, they can initiate a Live Response session.
   3. A command shell opens inside the portal where predefined commands or custom scripts can be executed.

 

Microsoft provides a standard command library (for common forensic queries) and supports script execution to allow advanced or custom investigations.

For example:

 

• • dir → List files in a directory
  • processes → List active processes
  • netstat → View network connections
  • getfile → Download a suspicious file for offline analysis
  • remediate → Remove or quarantine malicious files

 

Because sessions are audited, SOC teams can track what was run, who ran it, and when.

 

Practical Examples of Live Response in Action

 

1. Investigating a Suspicious File

Suppose Defender detects a suspicious executable on a user’s device. Using Live Response, an analyst can:

 

• • Run getfile "C:\Users\John\Downloads\suspicious.exe" to collect it.
  • Hash the file (getfilehash) and check it against known malicious indicators.
  • If malicious, delete or quarantine the file directly (remediate).

 

 

2. Collecting Memory and Process Evidence

If lateral movement is suspected:

 

• • Use processes to capture all running processes.
  • Run netstat to check for unusual outbound connections.
  • Export artifacts for further analysis using the getfile command.

 

 

3. Running a Custom Script

An organization might have a custom PowerShell script that gathers registry persistence keys or looks for specific TTPs (Tactics, Techniques, Procedures) based on MITRE ATT&CK. That script can be uploaded and executed inside the Live Response session, without having to deploy new tools to the endpoint.

 

Live Response for Servers

While the base Live Response functionality is included for client endpoints (Windows 10, Windows 11), servers require an additional license. This capability is delivered through Live Response for Servers, available as an add-on to Microsoft Defender for Servers Plan 2.

 

Why It Matters for Servers

Servers are high-value assets, often hosting critical workloads and sensitive data. During an active attack (such as ransomware or credential theft), being able to quickly and safely investigate a server is crucial.

With Live Response for Servers, SOC teams can:

 

• • Connect securely to Windows Server or Linux workloads
  • Collect forensic data without logging in interactively (reduces operational risk)
  • Run containment actions on production workloads in real time
  • Execute scripts that gather workload-specific telemetry

 

For example:

 

• • On a Windows Server hosting Active Directory, use Live Response to export suspicious LSASS-related memory dumps safely.
  • On a Linux web server, run commands to check cron jobs, startup scripts, and unusual network sockets without SSH exposure.

 

 

Security & Governance Considerations

Microsoft designed Live Response with strict security controls:

 

• • RBAC ensures only authorized analysts can initiate sessions.
  • Audit logging tracks every command and script execution.
  • Timeouts automatically close idle sessions.
  • Isolation options allow analysts to disconnect a device from the network while maintaining the Live Response session.

 

This governance layer ensures Live Response can be used confidently in enterprise and compliance-driven environments.

Live Response in Microsoft Defender XDR is more than just remote command-line access—it’s a secure, forensic-grade investigation and response capability. For endpoints, it enables rapid containment and evidence collection without disrupting users. For servers, through the Live Response for Servers add-on, it extends those same capabilities into critical infrastructure environments.

For SOC teams, mastering Live Response means faster incident response times, deeper forensic visibility, and the ability to remediate threats in real time—all while maintaining strict auditability and control.

 

Step-by-Step Demo: Using Live Response in Microsoft Defender XDR

Let’s walk through a simulated investigation where an alert flags a suspicious executable on a user’s device.

 

Scenario

 

• • Device: Windows 11 endpoint named FINANCE-LAP01
  • Alert: Suspicious executable detected in C:\Users\Alice\Downloads\invoice2025.exe
  • Analyst Goal: Verify the file, collect forensic data, and remediate if necessary.

 

 

Step 1: Start a Live Response Session

 

1. 1. In the Microsoft Defender XDR portal, navigate to Incidents → Device page for FINANCE-LAP01.
   2. Select Initiate Live Response Session.
   3. A shell window opens in the browser.

 

 

Step 2: Inspect the File System

 

dir C:\Users\Alice\Downloads

 

• • Confirms that invoice2025.exe is present.
  • Note file size and timestamp for correlation.

 

 

Step 3: Hash the File

 

getfilehash C:\Users\Alice\Downloads\invoice2025.exe

 

• • Returns SHA256/MD5 hash values.
  • Cross-check in VirusTotal, MISP, or TI feeds.

 

 

Step 4: Collect the File for Offline Analysis

 

getfile C:\Users\Alice\Downloads\invoice2025.exe

 

• • Downloads a copy to a secure storage area for sandboxing or reverse engineering.

 

 

Step 5: Investigate Processes

 

processes

 

• • Look for suspicious processes related to invoice2025.exe.
  • Note any child processes (e.g., powershell.exe, cmd.exe) that might indicate post-execution behavior.

 

 

Step 6: Investigate Network Connections

 

netstat

 

• • Check for unusual outbound connections, especially to unknown IPs or high ports.
  • Record suspicious destinations for TI correlation.

 

 

Step 7: Remediation

If confirmed malicious:

 

remediate C:\Users\Alice\Downloads\invoice2025.exe

 

• • Quarantines or deletes the file.

 

Optionally, kill associated processes:

 

kill <ProcessID>

 

Step 8: Run a Custom Script (Optional)

Upload and run a script that searches for persistence mechanisms (registry run keys, scheduled tasks, startup folders):

 

runscript persistence_check.ps1

 

• • Results are displayed in session output and logged.

 

 

Step 9: Audit & Close

 

• • Review the Live Response Session log to ensure all steps are properly recorded.
  • End the session.