Trend Vision One extended detection and response (XDR) remote shell

The Trend Vision One XDR-integrated remote shell lets you run commands directly from the XDR interface.

If you connect your agents and relays to the primary security update source via a proxy, remote shell automatically uses the same proxy settings.

Remote shell is available for the agent version 20.0.0-2009 or later for Linux and Windows, version 20.0.0-173 or later for macOS. For more details, see the supported commands table.

Requirements

Install the agent version 20.0.0-2009 or later for Windows or Linux, version 20.0.0-173 or later for macOS.
Register with Trend Vision One extended detection and response (XDR)
Forward security events to Trend Vision One extended detection and response (XDR)
Enable Activity Monitoring

Workload Security uses an IoT mechanism to transmit messages and events to XDR. If you need to restrict the URLs allowed in your environment, configure your firewall to include the Event Channel - XDR Activity Monitoring FQDNs from the Workload Security URLs table.

Start a remote shell session

You can start a remote shell session from either of the following:

From the Trend Vision One Search App :

Right-click on the endpointHostName field in Search App events and select Start Remote Shell Session.
From the Trend Vision One Workbench (under XDR ):

Right-click on the server icon and select Start Remote Shell Session.

Supported commands

The following table lists currently supported remote shell commands by platform and agent version.

Note that later agent versions support the commands listed from prior agent releases on the same platform.

DSA Version

Platform

Command

Description

Syntax

Example

20.0.0-5512+

Windows

memdump

Create a process memory dump available as an encrypted archive from the Trend Vision One console

memdump [--ma] [--mm] --pid <pid>

--ma: Creates a full process memory dump.

--mm: Create a mini process memory dump.

--pid: Required parameter to specify process ID <pid>

Note

memdump does not support dumping system processes or creating dump files larger than 128MB.

memdump --mm --pid 1234

20.0.0-182+

macOS

memdump

Create a process memory dump available as an encrypted archive from the Trend Vision One console

memdump --pid <pid>

memdump --pid 1234

cp

Copy a file or directory to a specific destination

cp <source object> <destination object> [--force]

To copy the Finances directory in the current directory (/Users/<username>/Downloads) to /tmp and overwrite the existing directory: Downloads>
```
cp Finances /tmp --force
```
To copy the the example.txt file located in the /var directory to /tmp and overwrite the existing example.txt file: Downloads>
```
cp /var/example.txt /tmp --force
```

get

Collect a specific file and upload to Trend Vision One (maximum file size: 128MB)

get <file_location_and_extension>

To collect the example.txt file in the current directory (/Users/<username>/Downloads): Downloads>
```
get example.txt
```
To collect the example.txt file in the /tmp directory: Downloads>
```
get /tmp/example.txt
```

mkdir

Create a new directory

mkdir <path>

To create the Finances directory in the current directory (/Users/<username>/Downloads): Downloads>
```
mkdir Finances
```
To create the Finances directory in the /tmp directory: Downloads>
```
mkdir /tmp/Finances
```

mv

Move a file or directory to specific destination

mv <source_object> <destination_object> [--force]

To move the Finances directory in the current directory (/Users/<username>/Downloads) to /tmp and overwrite the existing directory: Downloads>
```
mv Finances /tmp --force
```
To move the example.txt file in the /var directory to the /tmp directory and overwrite the existing example.txt file: Downloads>
```
mv /var/example.txt /tmp --force
```

rm

Delete a file or directory (including all sub-directories)

rm <source_object> [--force]

To delete the Finances directory in the current directory (/Users/<username>/Downloads): Downloads>
```
rm Finances
```
To delete the example.txt file in the /var directory: Downloads>
```
rm /var/example.txt
```

run

Execute a previously uploaded script

run <script_name_and_extension> [arguments]

run demo.sh 1 "22 33" 44

zip

Compress a file or directory in a zip archive and optionally encrypt the archive with a password

zip <source_object1> [<source_object2...> <source_objectn>] [--password <password>] [--force]

To zip the contents of the Finances directory in the current directory (/Users/<username>/Downloads) to "/tmp/directoryArchive.zip", set password to "P@ssw0rd", and overwrite the existing file: Downloads>
```
zip Finances /tmp/directoryArchive.zip --password P@ssw0rd --force
```
To zip the example.txt file in the /var directory to /tmp/exampleArchive.zip and overwrite the existing file: Downloads>
```
zip /var/example.txt /tmp/exampleArchive.zip --force
```

kill

Terminate a running process

kill <PID>

kill 1234

user info

List account properties

user info <username>

user info john_doe

20.0.0-173+

macOS

netstat

List network statistics and active connections

netstat

netstat

cat

Output content of the selected file (max size 1MB)

cat <file_location_and_extension>

Note

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

To output the content of the example.txt file located in the current directory (/Users/<username>/Downloads): Downloads>
```
cat example.txt
```
To output the content of the example.txt file located in the /tmp directory: Downloads>
```
cat /tmp/example.txt
```

cd

Change current working directory

cd <path>

cd /Users

clear

Clear screen

clear

clear

env

List environment variables

env

env

ls

List files and directories

ls <path>

To list files and directories in the current directory (/Users/<username>/Downloads): Downloads>
```
ls
```
To list files and directories located in the /tmp directory: Downloads>
```
ls /tmp
```

ps

List running process information

ps

ps

pwd

Display current directory

pwd

pwd

service list

List service information

service list

service list

user list

List local user accounts

user list

user list

ipconfig

Show network configurations

ipconfig

ipconfig

fileinfo

List detailed file properties

file info <file_location_and_extension>

Note

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

To list the file properties of the example.txt file in the current directory (/Users/<username>/Downloads): Downloads>
```
fileinfo example.txt
```
To list the file properties of the example.txt file located in the /tmp directory:
```
fileinfo /tmp/example.txt
```

systeminfo

List system information

ipconfig

ipconfig

help

Display help information

help

help

20.0.0-2204+

Windows, Linux

netstat

List network connections

netstat

netstat

ipconfig

Show network configurations

ipconfig

ipconfig

fileinfo

List detailed file properties

file info <file_location_and_extension>

Note

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads): Downloads>
```
fileinfo example.txt
```
To list the file properties of the example.txt file located in the C:\temp directory:
```
fileinfo C:\temp\example.txt
```

systeminfo

List system information

ipconfig

ipconfig

scheduletasks

Show schedule tasks

scheduletasks

scheduletasks

Windows

reg query

List registry key or value

reg query <key> [--value=<value_name>]

To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\>
```
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
```
To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\ >
```
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details
```

Linux

bashhistory

List command/bash history (/root/.bash_history)

bashhistory

bashhistory

20.0.0.2009+

Windows, Linux

cat

Output content of the selected file (max size 1MB)

cat <file_location_and_extension>

Note

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads): Downloads>
```
cat example.txt
```
To output the content of the example.txt file located in the C:\temp directory: Downloads>
```
cat c:\temp\example.txt
```

cd

Change current working directory

cd <path>

Note

For the <path>, specify the absolute or relative path.

cd C:\

clear

Clear screen

clear

clear

env

List environment variables

env

env

group list

List local group information

group list

group list

help

Display help information

help

help

ls

List files and directories

ls <path>

Note

For the <path>, specify the absolute or relative path.

To list files and directories in the current directory (C:\Users\Administrator\Downloads): Downloads>
```
ls
```
To list files and directories located in the C:\temp directory: Downloads>
```
ls c:\temp
```

ps

List running process information

ps

ps

pwd

Display current directory

pwd

pwd

service list

List service information

service list

service list

user list

List local user accounts

user list

user list

listenports

List listen ports

listenports

listenports

Troubleshoot common issues

To troubleshoot common issues with the remote shell, check the following settings in your Workload Security console:

Trend Vision One (XDR) settings

In the Trend Vision One (XDR) tab (Administration → System Settings → Trend Micro Vision One (XDR)), make sure that:

Enrollment status is Registered.
Forward security events to Trend Vision One is selected.

remote-shell-XDR-and-log-forwarding=b22cfe2e-110f-46fe-93dd-20c35c5586ba.png

If Enrollment status is not Registered, you need to Register with Trend Vision One (XDR).

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer (Computers → (Right- or- double-click) Details → Activity Monitoring → General), make sure Configuration is set to On or Inherited (On).

remote-shell-activitymonitoring=b66e7b2d-8fe6-4bd8-9d45-ee3469c8f058.png

You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy for which you want to enable Activity Monitoring. Go to the Activity Monitoring → General and make sure that Activity Monitoring State is set to On.

If you checked the requirements and troubleshoot common issues sections, but are still experiencing problems, contact support.