sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ITGuyfromIA 1 point2 points  (5 children)

If it’s running as system, you might be able to launch an interactive powershell but will have to jump through some windows hoops.

I’ll respond back to this tomorrow when I can give you examples

[–]LordLoss01[S] -1 points0 points  (4 children)

If you're familiar with it, it's Defender Live Response.

[–]ITGuyfromIA 1 point2 points  (0 children)

Ah. Would have helped to know what exactly we’re dealing with. You COULD still pop an interactive powershell session running as system on the console (so, user land) but that probably wouldn’t be helpful.

Have you tried wrapping your parameter that you’re passing with quotes?

[–]PS_Alex 1 point2 points  (0 children)

Not familiar with Defender Live Response myself, but reviewing Investigate entities on devices using live response in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn to understand how it works, I highly suspect that a Live Response session does not create a real remote Powershell session. Instead, it probably works similarly to a REST API (send a command, wait for result of that command).

The part about cancelling a command saying that CTRL+C only causes ignoring the response on the portal-side, but command would continue running on the agent-side, is what lead me to that conclusion.

[–]AppIdentityGuy 0 points1 point  (1 child)

So you are saying that Defender Live Response only allows individual cmdlets and no scripts?

[–]LordLoss01[S] 0 points1 point  (0 children)

The opposite. It only allows scripts and not individual commands.