Views:

Execute a PowerShell or Bash script on a target endpoint during an investigation.

Remote custom scripts allow Master Administrators and Security Analysts to directly access target endpoints and run previously uploaded PowerShell and Bash script files.
The following services can run this task:
  • TrendAI Vision One™
    • Linux agent
    • macOS agent
    • Windows agent
  • Cloud One - Endpoint & Workload Security
    • Linux agent
    • macOS agent
    • Windows agent
Important
Important
For PowerShell scripts executed on Windows endpoints:
  • The target endpoint PowerShell execution policy must be set to RemoteSigned, otherwise the script may be blocked. RemoteSigned is the default execution policy.
  • TrendAI™ recommends configuring the PowerShell session language mode to FullLanguage, otherwise the script may be blocked. FullLanguage is the default language mode for default sessions on all versions of Windows except for Windows RT.
  • The script file must not include interactive functions. Scripts run in silent mode, and interactive functions cause scripts to time out.
  • For an example of a signed script, see Sample signed PowerShell script.
  • Do not execute scripts that run processes in the GUI. Security issues may occur when displaying windows in the user session.
  • To learn more, see the Microsoft PowerShell official documentation.

Procedure

  1. Right-click the endpoint you want to investigate, and select Run Remote Custom Script from the context menu. You can execute only one custom script file per session. The target endpoint must be online to connect successfully.
    The Run Remote Custom Script Task screen appears and TrendAI Vision One™ attempts to connect to the endpoint.
  2. Select a custom script file. To add a new custom script, go to Custom Scripts on the Response Scripts tab and click Add script to upload a new script file.
    Note
    Note
    The maximum file size for this task depends on the agent version installed on the target endpoint:
    OS
    Agent version
    Maximum file size
    Linux
    Before 20.0.2.29760
    128 MB
    20.0.2.29760 and later
    4 GB
    Windows
    Before 20.0.2.29760
    128 MB
    20.0.2.29760 and later
    4 GB
  3. Specify the arguments to added to the script during script execution. You can specify a maximum of 8,000 characters.
  4. Specify a Description for the response or event.
  5. Click Create.
    TrendAI Vision One™ creates the task and displays the current task status in Response Management.
  6. Monitor the task status.
    1. Go to Workflow and AutomationResponse Management .
    2. To locate the task, use the search bar or select Run Remote Custom Script from the Action drop-down list.
    1. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): TrendAI Vision One™ sent the command and is waiting for a response.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline for more than 12 hours, or the command execution timed out.
    2. Click the Task ID to display task details and Download the session history. Use a file archiver to extract and decompress the file contents.
Related information