Endpoint Detection and Response includes Active Response Shell which provides the ability to remotely investigate attacks, collect forensic data, and remediate detections on Windows and Linux endpoints. Authorized Global Administrators can securely access their endpoints remotely with OneView.
Requirements
- Global Administrator permissions.
- An active Endpoint Detection & Response subscription or trial.
- Two-factor authentication or SSO enabled for the Global Administrator.
- Active Response Shell enabled in each Endpoint Detection and Response policy, which enables the setting for any Group assigned that policy.
- Remote endpoints cannot be behind a proxy. This is a known issue that being investigated.
- Windows endpoints running an Advanced RISC Machine (ARM) processor are not currently supported.
Access Active Response Shell
Active Response Shell is accessed through the Endpoints page and the Suspicious Activity page in OneView.
To access on the Endpoints page:
- On the left navigation menu, click Manage > Endpoints.
- Select an endpoint or click the endpoint name, then click the ellipsis icon .
- Click Launch Active Response Shell.
To access on the Suspicious Activity page:
- On the left navigation menu, click Investigate > Suspicious Activity.
- Choose a suspicious detection and on the ellipsis icon , click Launch Active Response Shell.
- Or click a suspicious detection name. On the details page, click on the ellipsis icon .
- Click Launch Active Response Shell.
Active Response Shell commands
Command | Description |
? | Print remote shell help. |
cd | Change directory or move to a specific folder. |
copy | Copy a single file. |
datetime | Show local date and time. |
del |
Delete one or more files. |
dir | Display the list of files and folders. |
dump | Dump binary files in hex values. |
exec |
Execute process. Command shell is launched:
|
get |
Retrieve a specific file from the host machine. |
md |
Create directory. |
move |
Rename or move a file. |
netstat |
Monitor network activity. |
put |
Upload a file to the host machine. |
quit |
Terminate active response shell. |
reg |
Performs operations on registry subkey, information, and values in the registry. |
sandbox |
Upload file to Sandbox Analysis. |
sc |
Performs operations with the Service Control Manager. |
schtasks |
Create, modify, or delete scheduled tasks. |
systeminfo |
Displays operating system information for a local or remote machine. |
taskkill |
Terminate one or more processes from PID or process name. |
tasklist |
Display the list of the active processes. |
timeliner |
Execute Forensics Timeliner. |
type |
Displays the contents of a text file or files. |
unzip |
Unzip archived folder. |
wmic |
Displays Windows Management Instrumentation (wmi) information inside an interactive command shell. |
zip |
Compress a list of files and folders in a ZIP archive. |