Because the built-in commands in Live Response include put
to put a file on the remote system and exec
and execfg
to execute processes on the system, responders can arbitrarily extend the capabilities of Live Response beyond the built-in commands.
For example, an investigator could take the following series of actions:
- Upload yara.exe and search memory for your custom yara signatures.
- Upload winpmem.exe and dump a memory image.
- Upload sbag.exe and parse the registry for Shellbags artifacts.
- Upload a custom PowerShell script and execute it with powershell.exe .
Although the library of built-in commands in Live Response will grow, it will never include every command for every situation. The ability to use put
, file
, and create
process
together assures that you have the freedom to add utilities you need for forensics and incident response. Additional capabilities are provided by a Live Response API. See Live Response API Reference.