Topics on this page
Requirements
Start a remote shell session
Supported commands
Troubleshoot common issues

Trend Micro Vision One (XDR) Remote Shell

The XDR-integrated remote shell lets you run commands directly from the Trend Micro Vision One (XDR) interface.

Remote Shell is available for Deep Security Agent 20.0.0-2009+. Agent version 20.0.0-2204+ adds support for additional commands, as detailed in Supported commands.

Requirements

Start a remote shell session

You can start a remote shell session from either of the following:

From the Trend Micro Vision One Search App :

Right-click on the endpointHostName field in Search App events and select Start Remote Shell Session.

From the Trend Micro Vision One Workbench (under XDR ):

Right-click on the server icon and select Start Remote Shell Session.

Supported commands

The following table lists currently supported remote shell commands for Windows and Linux platforms.

Deep Security Agent 20.0.0-2204+ adds support for additional commands.

DSA Version Platform Command Description Syntax Example
20.0.0-2204 Windows, Linux cat Output content of the selected file (max size 1MB)

cat <file_location_and_extension>

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads):

    Downloads>cat example.txt

  • To output the content of the example.txt file located in the C:\temp directory:

    Downloads>cat c:\temp\example.txt
cd Change current working directory

cd <path>

For the <path>, specify the absolute or relative path.

 cd C:\
clear Clear screen clear clear
env

List environment variables

 env env
group list List local group information group list group list
help Display help information help help
ls List files and directories

ls <path>

For the <path>, specify the absolute or relative path.
  • To list files and directories in the current directory (C:\Users\Administrator\Downloads):

    Downloads>ls

  • To list files and directories located in the C:\temp directory:

    Downloads>ls c:\temp
ps List running process information ps ps
pwd Display current directory pwd pwd
service list List service information service list service list
user list List local user accounts user list user list
listenports List listen ports listenports listenports
netstat List network connections netstat netstat
ipconfig Show network configurations ipconfig ipconfig
fileinfo List detailed file properties

file info <file_location_and_extension>

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads): Downloads> fileinfo example.txt
  • To list the file properties of the example.txt file located in the C:\temp directory:fileinfo C:\temp\example.txt
systeminfo List system information ipconfig ipconfig
scheduletasks Show schedule tasks scheduletasks scheduletasks
Windows reg query List registry key or value reg query <key> [--value=<value_name>]
  • To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
  • To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details
Linux bashhistory List command/bash history (/root/.bash_history) bashhistory bashhistory
20.0.0.2009 Windows, Linux cat Output content of the selected file (max size 1MB)

cat <file_location_and_extension>

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads): Downloads>cat example.txt
  • To output the content of the example.txt file located in the C:\temp directory: Downloads>cat c:\temp\example.txt
cd Change current working directory

cd <path>

For the <path>, specify the absolute or relative path.

 cd C:\
clear Clear screen clear clear
env List environment variables env env
group list List local group information group list group list
help Display help information help help
ls List files and directories

ls <path>

For the <path>, specify the absolute or relative path.
  • To list files and directories in the current directory (C:\Users\Administrator\Downloads): Downloads>ls
  • To list files and directories located in the C:\temp directory: Downloads>ls c:\temp
ps List running process information ps ps
pwd Display current directory pwd pwd
service list List service information service list service list
user list List local user accounts user list user list
listenports List listen ports listenports listenports

Troubleshoot common issues

To troubleshoot common issues with the remote shell, check the following settings in your Workload Security console:

Trend Micro Vision One (XDR) settings

In the Trend Micro Vision One (XDR) tab (Administration > System Settings > Trend Micro Vision One (XDR)), make sure that:

  • Enrollment status is "Registered"
  • Forward security events to Trend Micro Vision One has its checkbox selected

If Enrollment status is not "Registered" you need to Register with Trend Micro Vision One (XDR).

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer(s) (Computers > (Right- or- double-click) Details > Activity Monitoring > General), make sure Configuration is set to "On" or "Inherited (On)."

You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring > General and make sure that "Activity Monitoring State" is set to "On."

If you've checked the requirements and troubleshoot common issues sections but are still experiencing problems, please contact support.