Microsoft Defender ATP adds live response for Linux and macOS

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,667
Microsoft has announced the addition of new live macOS and Linux response capabilities to Defender for Endpoint, the enterprise version of Redmond's Windows 10 Defender antivirus.

The new capabilities are now available in public preview in the enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection) and come with unique new commands for these platforms.

They are designed to help security operations (SecOps) teams to trigger response actions straight from the live response interface during incident investigations.

SecOps experts can use them to contain identified threats by enforcing network isolation, blocking attackers' attempts to exfiltrate data or move laterally through the network.

Other response actions added today for macOS and Linux customers also enable them to collect info on attackers' tools and techniques, and remotely trigger antivirus scans to detect and remediate malware infections on compromised devices.

With live response for macOS and Linux, analysts can do the following tasks:
  • Run basic and advanced commands to investigate suspicious entities.
  • Collect files (such as malware samples, scripts output) for offline analysis.
  • Trigger response actions on the device.
  • Upload any Bash script to their live response library, and then run it on the device to collect forensics evidence and remediate malicious entities.
"With live response, you have the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats -- in real-time," Microsoft said.
"Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats."