Views:
Directly access an endpoint during an investigation to execute commands in the command-line interface (CLI), manage the registry, files, services, or startup apps, or run a custom script.
  • Only users with the Master Administrator or Security Analyst role can access the remote access response.
  • You must upgrade the endpoint to agent version 1.2.0.6734 or later to use remote access.
  • The target endpoint must be online to connect.
  • Trend Vision One only permits 10 concurrent remote shell sessions per company and does not allow multiple to access the same endpoint concurrently.
  • Trend Vision One limits you to one custom script file per session.
  • Changes made in one window may not appear in another. Each window displays its own static view of the file system. To display the latest data, click resendCommand=GUID-47F93E03-99D1-49B4-95D0-C6D07F10B592=1=en-us=Low.jpg.
The following services support this task:
  • Trend Vision One
    • Windows agent

Procedure

  1. In Workbench, XDR Data Explorer, or Observed Attack Techniques, right-click on an endpoint and select Start remote access session then click Create.
    If Trend Vision One cannot establish a session within five minutes, the connection times out. A session automatically ends after two hours and automatically times out after 10 minutes of inactivity.
  2. Use the remote access navigation bar to perform the corresponding tasks:
    remote-access-nav-bar=19435bad-22e5-473b-9389-a5caf284f2e7.png
    Some windows may load slowly when displaying a large amount of data.
  3. If you need to move, resize, or close the window, adjust the window.
  4. When your session is complete, click End session. Terminating the connection may take a few minutes.

Execute remote shell commands Parent topic

For a list of commands, see Remote Shell Commands for Windows Endpoints.

Procedure

  1. Click Terminal on the navigation bar.
  2. Begin typing. Auto-complete provides command suggestions.
    • Press Tab to use the auto-complete-suggested command.
    • Press Alt+Up arrow key to display the previous suggestion.
    • Press Alt+Down arrow key to display the next suggestion.

Edit the registry Parent topic

Procedure

  1. Click Registry editor on the navigation bar.
  2. Expand the folders to see a list of registry keys and name-values.
  3. Right-click on the registry key or name-value and select one of the following actions:
    • Delete
    • Copy

Explore files, folders, and hard disks Parent topic

Procedure

  1. Click File explorer icon on the navigation bar.
  2. Expand the folders to see a list of files and folders. You can also directly type in the path.
    • Click to go to the previous file path.
    • Click to go to the next file path.
  3. Right-click on a file or folder and select one of the following actions:
    • Delete
    • Compress
    • Collect file

Manage processes Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Processes icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.
  4. Right-click on a process and select one of the following actions:
    • Terminate
    • Copy image path
    • Create dump
      • Full
      • Mini
    • Collect file

Manage services Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Services icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.
  4. Right-click on a service and select one of the following actions:
    • Start
    • Stop
    • Delete

View a list of users Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Users icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.

Manage startup apps Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Startup apps icon on the Task Manager menu.
  3. Right-click on a startup app and select one of the following actions:
    • Disable, if enabled
    • Enable, if disabled
    • Delete

Run a custom script Parent topic

Procedure

  1. Click Custom scripts icon on the navigation bar.
  2. Click Run for the script you want to run.
    Trend Vision One limits you to one custom script file per session.

Monitor the status of a task Parent topic

When you have a new notification, a red dot appears on the notifications icon.

Procedure

  1. Click Notifications icon on the navigation bar.
  2. Review information about a task including ID, status, action, target, and updated date.

Adjust the window Parent topic

If you close the window before ending the session, the connection to the endpoint times out after 10 minutes.

Procedure

  • Click and hold the title bar to move the window.
  • Click and hold a corner to resize the window
  • Click Minimize icon to minimize the window.
  • Click Maximize icon to maximize the window.
  • Click Close window icon to close the window
  • Right-click the icon in the navigation bar to redisplay a minimized window.
  • Right-click the navigation bar and select Close all windows to close remote access windows. This does not end the session.