The Trend Vision One XDR-integrated remote shell lets you run commands directly from the XDR interface.
If you connect your agents and relays to the primary security update source via a proxy, remote shell automatically uses the same proxy settings.
Remote shell is available for the agent version 20.0.0-2009 or later for Linux and Windows, version 20.0.0-173 or later for macOS. For more details, see the supported commands table.

Requirements

Workload Security uses an IoT mechanism to transmit messages and events to XDR. If you need to restrict the URLs allowed in your environment, configure your firewall to include the Event Channel - XDR Activity Monitoring FQDNs from the Workload Security URLs table.

Start a remote shell session

You can start a remote shell session from either of the following:
  • From the Trend Vision One Search App:
    icon-vision-one-searchapp=d75f2424-91f4-428d-80c1-df6dd7ab20f9.png: Right-click on the endpointHostName field in Search App events and select Start Remote Shell Session.
    remote-shell-searchapp-start=a4aff84a-0587-4ff1-b11b-7b7f1b03664b.png
  • From the Trend Vision One Workbench (under XDR icon-vision-one-XDRsidebar=fa1898ae-8d66-4b25-810e-56a9be34a661.png):
    Right-click on the server icon and select Start Remote Shell Session.
    remote-shell-workbench-start=1982c3da-cac2-4572-b2b0-5a6a9f4fe73e.png

Supported commands

The following table lists currently supported remote shell commands by platform and agent version.
Note that later agent versions support the commands listed from prior agent releases on the same platform.
DSA Version
Platform
Command
Description
Syntax
Example
20.0.0-5512+
Windows
memdump
Create a process memory dump available as an encrypted archive from the Trend Vision One console
memdump [--ma] [--mm] --pid <pid>
--ma: Creates a full process memory dump.
--mm: Create a mini process memory dump.
--pid: Required parameter to specify process ID <pid>
Note
Note
memdump does not support dumping system processes or creating dump files larger than 128MB.
memdump --mm --pid 1234
20.0.0-182+
macOS
memdump
Create a process memory dump available as an encrypted archive from the Trend Vision One console
memdump --pid <pid>
memdump --pid 1234
cp
Copy a file or directory to a specific destination
cp <source object> <destination object> [--force]
  • To copy the Finances directory in the current directory (/Users/<username>/Downloads) to /tmp and overwrite the existing directory: Downloads>
    cp Finances /tmp --force
  • To copy the the example.txt file located in the /var directory to /tmp and overwrite the existing example.txt file: Downloads>
    cp /var/example.txt /tmp --force
get
Collect a specific file and upload to Trend Vision One (maximum file size: 128MB)
get <file_location_and_extension>
  • To collect the example.txt file in the current directory (/Users/<username>/Downloads): Downloads>
    get example.txt
  • To collect the example.txt file in the /tmp directory: Downloads>
    get /tmp/example.txt
mkdir
Create a new directory
mkdir <path>
  • To create the Finances directory in the current directory (/Users/<username>/Downloads): Downloads>
    mkdir Finances
  • To create the Finances directory in the /tmp directory: Downloads>
    mkdir /tmp/Finances
mv
Move a file or directory to specific destination
mv <source_object> <destination_object> [--force]
  • To move the Finances directory in the current directory (/Users/<username>/Downloads) to /tmp and overwrite the existing directory: Downloads>
    mv Finances /tmp --force
  • To move the example.txt file in the /var directory to the /tmp directory and overwrite the existing example.txt file: Downloads>
    mv /var/example.txt /tmp --force
rm
Delete a file or directory (including all sub-directories)
rm <source_object> [--force]
  • To delete the Finances directory in the current directory (/Users/<username>/Downloads): Downloads>
    rm Finances
  • To delete the example.txt file in the /var directory: Downloads>
    rm /var/example.txt
run
Execute a previously uploaded script
run <script_name_and_extension> [arguments]
run demo.sh 1 "22 33" 44
zip
Compress a file or directory in a zip archive and optionally encrypt the archive with a password
zip <source_object1> [<source_object2...> <source_objectn>] [--password <password>] [--force]
  • To zip the contents of the Finances directory in the current directory (/Users/<username>/Downloads) to "/tmp/directoryArchive.zip", set password to "P@ssw0rd", and overwrite the existing file: Downloads>
    zip Finances /tmp/directoryArchive.zip --password P@ssw0rd --force
  • To zip the example.txt file in the /var directory to /tmp/exampleArchive.zip and overwrite the existing file: Downloads>
    zip /var/example.txt /tmp/exampleArchive.zip --force
kill
Terminate a running process
kill <PID>
kill 1234
user info
List account properties
user info <username>
user info john_doe
20.0.0-173+
macOS
netstat
List network statistics and active connections
netstat
netstat
cat
Output content of the selected file (max size 1MB)
cat <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (/Users/<username>/Downloads): Downloads>
    cat example.txt
  • To output the content of the example.txt file located in the /tmp directory: Downloads>
    cat /tmp/example.txt
cd
Change current working directory
cd <path>
cd /Users
clear
Clear screen
clear
clear
env
List environment variables
env
env
ls
List files and directories
ls <path>
  • To list files and directories in the current directory (/Users/<username>/Downloads): Downloads>
    ls
  • To list files and directories located in the /tmp directory: Downloads>
    ls /tmp
ps
List running process information
ps
ps
pwd
Display current directory
pwd
pwd
service list
List service information
service list
service list
user list
List local user accounts
user list
user list
ipconfig
Show network configurations
ipconfig
ipconfig
fileinfo
List detailed file properties
file info <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To list the file properties of the example.txt file in the current directory (/Users/<username>/Downloads): Downloads>
    fileinfo example.txt
  • To list the file properties of the example.txt file located in the /tmp directory:
    fileinfo /tmp/example.txt
systeminfo
List system information
ipconfig
ipconfig
help
Display help information
help
help
20.0.0-2204+
Windows, Linux
netstat
List network connections
netstat
netstat
ipconfig
Show network configurations
ipconfig
ipconfig
fileinfo
List detailed file properties
file info <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads): Downloads>
    fileinfo example.txt
  • To list the file properties of the example.txt file located in the C:\temp directory:
    fileinfo C:\temp\example.txt
systeminfo
List system information
ipconfig
ipconfig
scheduletasks
Show schedule tasks
scheduletasks
scheduletasks
Windows
reg query
List registry key or value
reg query <key> [--value=<value_name>]
  • To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\>
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
  • To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key: C:\ >
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details
Linux
bashhistory
List command/bash history (/root/.bash_history)
bashhistory
bashhistory
20.0.0.2009+
Windows, Linux
cat
Output content of the selected file (max size 1MB)
cat <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads): Downloads>
    cat example.txt
  • To output the content of the example.txt file located in the C:\temp directory: Downloads>
    cat c:\temp\example.txt
cd
Change current working directory
cd <path>
Note
Note
For the <path>, specify the absolute or relative path.
cd C:\
clear
Clear screen
clear
clear
env
List environment variables
env
env
group list
List local group information
group list
group list
help
Display help information
help
help
ls
List files and directories
ls <path>
Note
Note
For the <path>, specify the absolute or relative path.
  • To list files and directories in the current directory (C:\Users\Administrator\Downloads): Downloads>
    ls
  • To list files and directories located in the C:\temp directory: Downloads>
    ls c:\temp
ps
List running process information
ps
ps
pwd
Display current directory
pwd
pwd
service list
List service information
service list
service list
user list
List local user accounts
user list
user list
listenports
List listen ports
listenports
listenports

Troubleshoot common issues

To troubleshoot common issues with the remote shell, check the following settings in your Workload Security console:

Trend Vision One (XDR) settings

In the Trend Vision One (XDR) tab (Administration System Settings Trend Micro Vision One (XDR)), make sure that:
  • Enrollment status is Registered.
  • Forward security events to Trend Vision One is selected.
remote-shell-XDR-and-log-forwarding=b22cfe2e-110f-46fe-93dd-20c35c5586ba.png
If Enrollment status is not Registered, you need to Register with Trend Vision One (XDR).

Security module settings for your computer(s)

In the Activity Monitoring tab for your computer(s) (Computers (Right- or- double-click) Details Activity Monitoring General), make sure Configuration is set to On or Inherited (On).
remote-shell-activitymonitoring=b66e7b2d-8fe6-4bd8-9d45-ee3469c8f058.png
You can also enable Activity Monitoring for computers by enabling it in the policy assigned to them. From the Policies tab, double-click the policy you want to enable Activity Monitoring for. Go to the Activity Monitoring General and make sure that Activity Monitoring State is set to On.
If you checked the requirements and troubleshoot common issues sections, but are still experiencing problems, contact support.