Run Remote Custom Script Task

Execute a PowerShell or Bash script on a target endpoint during an investigation.

Remote custom scripts allows Master Administrator and Security Analyst roles to directly access target endpoints to run a previously uploaded PowerShell and Bash script files.

Important:

The following recommendations apply only to PowerShell scripts executed on Windows endpoints:

  • The target endpoint's PowerShell execution policy must be set to RemoteSigned, otherwise the script may be blocked. RemoteSigned is the default execution policy.

  • Trend Micro recommends you configure the PowerShell session language mode to FullLanguage, otherwise the script may be blocked. FullLanguage is the default language mode for default sessions on all versions of Windows except for Windows RT.

  • The script file must not include interactive functions. Because scripts run in silent mode, interactive functions will cause scripts to time out.

To learn more about the above settings, please consult the Microsoft PowerShell official documentation site.

  1. After identifying the endpoint to investigate, access the context or response menu and click Run Remote Custom Script.

    The Run Remote Custom Script Task screen appears and Trend Micro Vision One attempts to connect to the endpoint.

    Note:

    Trend Micro Vision One only permits you to execute one custom script file per session. The target endpoint must be online in order to connect successfully.

  2. Select the previously uploaded custom script file from the drop-down list.

    To add a new custom script, click the Go to Custom Scripts management link to open the Response Management app in a new browser tab. Click the Custom Scripts tab and upload the new script before continuing.

  3. (Optional) Specify the arguments that are added onto the script during script execution.
    Note:

    You can specify a maximum of 8,000 characters.

  4. (Optional) Specify a Description for the response or event.
  5. Click Create.

    Trend Micro Vision One creates the task and displays the current command status on the Response Management app.

  6. Monitor the task status.
    1. Open the Response Management app.
    2. (Optional) Locate the task using the Search field or by selecting Run Remote Custom Script from the Action drop-down list.
    3. View the task status.
      • In progress... (): Trend Micro Vision One sent the command to the managing server and is waiting for a response

      • Successful (): The managing server successfully received the command

      • Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline for more than 12 hours, or the command execution timed out

    4. Click the Task ID to open the Details panel and Download the session history.
      Note:

      Use an external decompression program (such as 7-zip) to extract the file contents.