Endpoint Detection and Response includes Active Response Shell which provides the ability to remotely investigate attacks, collect forensic data, and remediate detections on Windows and Linux endpoints. Authorized Super Admins can securely access their endpoints remotely with Nebula.
To configure Active Response Shell, see Endpoint Detection and Response policy settings in Nebula.
Requirements
- Super Administrator permissions.
- An active Endpoint Detection & Response subscription or trial.
- Two-factor authentication or SSO enabled for Super Admin accounts.
- The Nebula Account Owner must assign Active Response Shell permission to selected Super Admins or optionally to the owner account. For more information, see Manage Users in Nebula.
- Active Response Shell enabled in each Endpoint Detection and Response policy, which enables the setting for any Group assigned that policy.
- Remote endpoints cannot be behind a proxy. This is a known issue that being investigated.
- Windows endpoints running an Advanced RISC Machine (ARM) processor are not currently supported.
Access Active Response Shell
Active Response Shell is accessed through the Endpoints page and the Suspicious Activity page in Nebula.
To access on the Endpoints page:
- On the left navigation pane, go to Manage > Endpoints.
- Select an endpoint or click the endpoint name, then click Actions.
- Click Launch Active Response Shell.
To access on the Suspicious Activity page:
- On the left navigation pane, go to Investigate > Suspicious Activity.
- Choose a suspicious detection and on the Actions menu, click Launch Active Response Shell.
- Or click a suspicious detection name. On the details page, click Actions.
- Click Launch Active Response Shell.
To access on the Flight recorder page:
- On the left navigation pane, go to Investigate > Flight Recorder.
- Enter your search parameters and click Search.
- Select an endpoint, then click Actions.
- Click Launch Active Response Shell.
Active Response Shell commands
Below is the list of commands that can be run using Active Response Shell:
| Command | Description |
| ? | Print remote shell help. |
| cd | Change directory or move to a specific folder. |
| copy | Copy a single file. |
| datetime | Show local date and time. |
| del |
Delete one or more files. |
| dir | Display the list of files and folders. |
| dump | Dump binary files in hex values. |
|
exec |
Execute process. Command shell is launched:
|
|
get |
Retrieve a specific file from the host machine. |
|
md |
Create directory. |
|
move |
Rename or move a file. |
|
netstat |
Monitor network activity. |
|
put |
Upload a file to the host machine. |
|
quit |
Terminate active response shell. |
|
reg |
Performs operations on registry subkey, information, and values in the registry. |
|
sandbox |
Upload file to Sandbox Analysis. |
|
sc |
Performs operations with the Service Control Manager. |
|
schtasks |
Create, modify, or delete scheduled tasks. |
|
systeminfo |
Displays operating system information for a local or remote machine. |
|
taskkill |
Terminate one or more processes from PID or process name. |
|
tasklist |
Display the list of the active processes. |
|
timeliner |
Execute the Forensic Timeliner. |
|
type |
Displays the contents of a text file or files. |
|
unzip |
Unzip archived folder. |
|
wmic |
Displays Windows Management Instrumentation (wmi) information inside an interactive command shell. |
|
zip |
Compress a list of files and folders in a ZIP archive. |