Views:
Directly access an endpoint during an investigation to execute commands in the command-line interface (CLI), manage the registry, files, services, or startup apps, or run a custom script. You can view file, process, and service properties.
  • Only users with the Master Administrator or Security Analyst role can access the remote access response.
  • If your organization enforces multi-factor authentication (MFA), you may encounter additional prompts when starting a remote access session, even if you already logged in using MFA.
  • You must upgrade the endpoint to agent version 1.2.0.6734 or later to use remote access.
  • The target endpoint must be online to connect.
  • Changes made in one window may not appear in another. Each window displays its own static view of the file system. To display the latest data, click resendCommand=GUID-47F93E03-99D1-49B4-95D0-C6D07F10B592=1=en-us=Low.jpg.
The following services support this task:
  • Trend Vision One
    • Windows agent

Procedure

  1. In Workbench, XDR Data Explorer, or Observed Attack Techniques, right-click on an endpoint and select Start remote access session then click Create.
  2. Use the remote access navigation bar to perform the corresponding tasks:
    remote-access-nav-bar=19435bad-22e5-473b-9389-a5caf284f2e7.png
    Some windows may load slowly when displaying a large amount of data.
  3. If you need to move, resize, or close the window, adjust the window.
  4. When your session is complete, click End session. Terminating the connection may take a few minutes.

Execute remote shell commands Parent topic

The remote session uses the system’s ANSI code page for character encoding. If you encounter issues with special characters in command output, verify the code page settings. You can check the current code page using chcp in the Terminal.
For a list of commands, see Remote Shell Commands for Windows Endpoints.

Procedure

  1. Click Terminal on the navigation bar.
  2. Begin typing. Auto-complete provides command suggestions.
    • Press Tab to use the auto-complete-suggested command.
    • Press Alt+Up arrow key to display the previous suggestion.
    • Press Alt+Down arrow key to display the next suggestion.

Start a PowerShell session Parent topic

Use PowerShell commands in Terminal for advanced process and service management. PowerShell support requires sensor version 1.2.0.7123 or later. The PowerShell executable path is C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe.

Procedure

  1. Click Terminal on the navigation bar.
  2. Enter help.
  3. Confirm that powershell appears in the list of supported commands. If it does not, PowerShell is not available on that endpoint.
    Tip
    Tip
    Type help to display a list of currently available commands.
  4. Enter powershell.
    The command prompt changes to PS C:\>.
    If the message "Security check is not supported. Please contact your administrator" appears, run the ParseInput command on the target endpoint in the PowerShell session.

Edit the registry Parent topic

Procedure

  1. Click Registry editor on the navigation bar.
  2. Expand the folders to see a list of registry keys and name-values.
  3. Right-click on the registry key or name-value and select one of the following actions:
    • Delete
    • Copy

Explore files, folders, and hard disks Parent topic

Procedure

  1. Click File explorer icon on the navigation bar.
  2. Expand the folders to see a list of files and folders. You can also directly type in the path.
    • Click to go to the previous file path.
    • Click to go to the next file path.
  3. Right-click on a file or folder and select one of the following actions:
    • Delete
    • Compress
    • Collect file
    • Properties
      Properties in File Explorer are read-only. You cannot modify these attributes.

Manage processes Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Processes icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.
  4. Right-click on a process and select one of the following actions:
    • Terminate
    • Copy image path
    • Create dump
      • Full
      • Mini
    • Collect file
    • Properties

Manage services Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Services icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.
  4. Right-click on a service and select one of the following actions:
    • Start
    • Stop
    • Delete
    • Properties

View a list of users Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Users icon on the Task Manager menu.
  3. If you want to filter the list, type in the filter box.

Manage startup apps Parent topic

Procedure

  1. Click Task manager icon on the navigation bar.
  2. Click Startup apps icon on the Task Manager menu.
  3. Right-click on a startup app and select one of the following actions:
    • Disable, if enabled
    • Enable, if disabled
    • Delete

Run a custom script Parent topic

Procedure

  1. Click Custom scripts icon on the navigation bar.
  2. Click Run for the script you want to run.
    Trend Vision One limits you to one custom script file per session.

Monitor the status of a task Parent topic

When you have a new notification, a red dot appears on the notifications icon.

Procedure

  1. Click Notifications icon on the navigation bar.
  2. Review information about a task including ID, status, action, target, and updated date.

Adjust the window Parent topic

If you close the window before ending the session, the connection to the endpoint times out after 10 minutes.

Procedure

  • Click and hold the title bar to move the window.
  • Click and hold a corner to resize the window
  • Click Minimize icon to minimize the window.
  • Click Maximize icon to maximize the window.
  • Click Close window icon to close the window
  • Right-click the icon in the navigation bar to redisplay a minimized window.
  • Right-click the navigation bar and select Close all windows to close remote access windows. This does not end the session.