Endpoint Detection and Response includes Active Response Shell (ARS) which provides the ability to remotely investigate attacks, collect forensic data, and remediate detections on Windows, Windows ARM, and Linux endpoints. Authorized Global Administrators can securely access their endpoints remotely with OneView.
Requirements
- Global Administrator permissions.
- An active Endpoint Detection & Response subscription or trial.
- Two-factor authentication or SSO enabled for the Global Administrator.
- ARS enabled in each Endpoint Detection and Response policy, which enables the setting for any Group assigned that policy.
- Remote endpoints cannot be behind a proxy. This is a known issue that being investigated.
- A OneView Global Administrator must enable ARS to provide access to another Admin.
Access Active Response Shell
ARS is accessed through the Endpoints page and the Suspicious Activity page in OneView.
To access on the Endpoints page:
- On the left navigation menu, click Manage > Endpoints.
- Select an endpoint or click the endpoint name, then click the Actions button.
- Click Launch Active Response Shell.
To access on the Suspicious Activity page:
- On the left navigation menu, click Investigate > Suspicious Activity.
- Choose a suspicious detection and on Actions > Launch Active Response Shell.
- Or click a suspicious detection name. On the details page, click Actions > Launch Active Response Shell.
ARS commands
| Windows Command | Linux Command | macOS Command | Description |
|---|---|---|---|
| ? | ? | ? | Print remote shell help. |
| cd | cd | cd | Change directory or move to a specific folder. |
| copy | cp | cp | Copy a single file. |
| datetime | date | date | Show local date and time. |
| del | rm | rm | Delete one or more files. |
| dir | ls | ls | Display the list of files and folders. |
| dump | dump | dump | Dump binary files in hex values. |
exec | exec | exec | Execute process. Command shell is launched:
|
get | get | get | Retrieve a specific file from the host machine. File size limit 512MB. |
md | mkdir | mkdir | Create directory. |
| msiexec | N/A | N/A | Execute MSI installer in no-ui mode |
move | mv | mv | Rename or move a file. |
put | put | put | Upload a file to the host machine. File size limit 64MB. |
quit | quit | quit | Terminate ARS. |
reg | N/A | N/A | Performs operations on registry subkey, information, and values in the registry. |
sandbox | N/A | N/A | Upload file to Sandbox Analysis. |
sc | systemctl | launchctl | Performs operations with the Service Control Manager. |
systeminfo | systeminfo | systeminfo | Displays operating system information for a local or remote machine. |
taskkill | kill | kill | Terminate one or more processes from PID or process name. |
tasklist | ps | ps | Display the list of the active processes. |
timeliner | N/A | N/A | Execute the Forensic Timeliner. |
type | cat | cat | Displays the contents of a text file or files. |
unzip | unzip | unzip | Unzip archived folder. |
zip | zip | zip | Compress a list of files and folders in a ZIP archive. |