Depending on the role you have, you can run basic or advanced live response commands. For more information on basic and advanced commands, see Investigate entities on devices using live response.
Analyze the file malware.txt analyze file c:\Users\user\Desktop\malware.txt
Analyze the process by PID analyze process 1234
List active connections in json format using parameter name connections -output json
List active connections in json format without parameter name connections json
List files and sub-folders in the current folder dir
List files and sub-folders in a specific folder dir C:\Users\user\Desktop\
List files and subfolders in the current folder in json format dir -output json
Display information about a file fileinfo C:\Windows\notepad.exe
Find file by name findfile test.txt
Download a file from a machine getfile c:\Users\user\Desktop\work.txt
Download a file from a machine, automatically run prerequisite commands getfile c:\Users\user\Desktop\work.txt -auto
The following file types cannot be downloaded using this command from within Live Response:
- Reparse point files
- Sparse files
- Empty files
- Virtual files, or files that are not fully present locally
These file types are supported by PowerShell.
Use PowerShell as an alternative, if you have problems using this command from within Live Response.
List files in the library library
Delete a file from the library library delete script.ps1
Show all processes processes
Get process by pid processes 123
Get process by pid with argument name processes -pid 123
Get process by name processes -name notepad.exe
Upload file from library putfile get-process-by-name.ps1
Upload file from library, overwrite file if it exists putfile get-process-by-name.ps1 -overwrite
Upload file from library, keep it on the machine after a restart putfile get-process-by-name.ps1 -keep
Show information about the values in a registry key registry HKEY_CURRENT_USER\Console
Show information about a specific registry value registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
Remediate file in specific path remediate file c:\Users\user\Desktop\malware.exe
Remediate process with specific PID remediate process 7960
See list of all remediated entities remediate list
Run PowerShell script from the library without arguments run script.ps1
Run PowerShell script from the library with arguments run get-process-by-name.ps1 -parameters "-processName Registry"
For long running commands such as ‘run‘ or ‘getfile‘, you may want to use the ‘&‘ symbol at the end of the command to perform that action in the background. This will allow you to continue investigating the machine and return to the background command when done using ‘fg‘ basic command.
Get all scheduled tasks scheduledtasks
Get specific scheduled task by location and name scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition
Get specific scheduled task by location and name with spacing scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
Restore remediated registry undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
Restore remediated scheduledtask undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
Restore remediated file undo file c:\Users\user\Desktop\malware.exe