Endpoint Detection and Response includes Active Response Shell (ARS) which provides the ability to remotely investigate attacks, collect forensic data, and remediate detections on Windows, Windows ARM, and Linux endpoints. Authorized Super Admins can securely access their endpoints remotely with Nebula.
To configure ARS, see Endpoint Detection and Response policy settings in Nebula.
Requirements
- Super Administrator permissions.
- An active Endpoint Detection & Response subscription or trial.
- Two-factor authentication or SSO enabled for Super Admin accounts.
- The Nebula Account Owner must assign ARS permission to selected Super Admins or optionally to the owner account. For more information, see Manage Users in Nebula.
- ARS enabled in each Endpoint Detection and Response policy, which enables the setting for any Group assigned that policy.
- Remote endpoints cannot be behind a proxy. This is a known issue that being investigated.
Access Active Response Shell
ARS is accessed through the Endpoints page and the Suspicious Activity page in Nebula.
To access on the Endpoints page:
- On the left navigation pane, go to Manage > Endpoints.
- Select an endpoint or click the endpoint name, then click Actions.
- Click Launch Active Response Shell.
To access on the Suspicious Activity page:
- On the left navigation pane, go to Investigate > Suspicious Activity.
- Choose a suspicious detection and on the Actions menu, click Launch Active Response Shell.
- Or click a suspicious detection name. On the details page, click Actions.
- Click Launch Active Response Shell.
To access on the Flight recorder page:
- On the left navigation pane, go to Investigate > Flight Recorder.
- Enter your search parameters and click Search.
- Select an endpoint, then click Actions.
- Click Launch Active Response Shell.
ARS commands
Below is the list of commands that can be run using ARS:
| Windows Command | Linux Command | macOS Command | Description |
|---|---|---|---|
| ? | ? | ? | Print remote shell help. |
| cd | cd | cd | Change directory or move to a specific folder. |
| copy | cp | cp | Copy a single file. |
| datetime | date | date | Show local date and time. |
| del | rm | rm | Delete one or more files. |
| dir | ls | ls | Display the list of files and folders. |
| dump | dump | dump | Dump binary files in hex values. |
exec |
exec | exec |
Execute process. Command shell is launched:
|
get |
get | get | Retrieve a specific file from the host machine. File size limit 512MB. |
md |
mkdir | mkdir | Create directory. |
| msiexec | N/A | N/A | Execute MSI installer in no-ui mode |
move |
mv | mv | Rename or move a file. |
put |
put | put | Upload a file to the host machine. File size limit 64MB. |
quit |
quit | quit | Terminate ARS. |
reg |
N/A | N/A | Performs operations on registry subkey, information, and values in the registry. |
sandbox |
N/A | N/A | Upload file to Sandbox Analysis. |
sc |
systemctl | launchctl | Performs operations with the Service Control Manager. |
systeminfo |
systeminfo | systeminfo | Displays operating system information for a local or remote machine. |
taskkill |
kill | kill | Terminate one or more processes from PID or process name. |
tasklist |
ps | ps | Display the list of the active processes. |
timeliner |
N/A | N/A | Execute the Forensic Timeliner. |
type |
cat | cat | Displays the contents of a text file or files. |
unzip |
unzip | unzip | Unzip archived folder. |
zip |
zip | zip | Compress a list of files and folders in a ZIP archive. |