Respond to Threats on a Machine with Remote Shell
When you are remediating MalOps in your environment, you have several options, including stopping a process, quarantining a file, or changing a registry value. In many incidents, however, you need more thorough and specific remediation actions. For cases like this, you can use the Remote Shell utility. This utility enables you to:
Connect to a specific machine
Run select PowerShell commands for response and remediation
Perform additional investigation as needed
This utility is supported on:
Windows machines running Windows 7 or higher
Any supported version of MacOS
Any supported version of Linux
Note
Use of the Remote Shell utility on MacOS and Linux machines is not generally available. Contact your Customer Success Manager to get access to these features.
In this topic:
Watch a movie on the Remote Shell
Watch the following video to see a demonstration of the Remote Shell utility:
When should you use the Remote Shell?
The Remote Shell utility enables analysts to perform a set of live actions on a machine with a Cybereason Sensor to assist in response and remediation of malicious activity. This utility can also be used for investigation on a single machine.
The utility aims to improve the work process around three main security areas in the incident lifecycle:
Triage: When planning the response or remediation necessary for a MalOp, sometimes details are missing around the relevance of a MalOp or information about the Elements included in the MalOp. This utility enables you to access machines involved in the MalOp and collect those details.
Remediation: The utility provides analysts additional response capabilities along with existing, out-of-the-box remediation features. For example, with the Remote Shell utility you can remove a service associated with malicious activity from the registry and in the service database.
Investigation: While you are investigating malicious activity, you may feel you need additional context around an incident. Use this utility to discover and collect additional information on a machine. In addition, you can collect information on a machine that is not consumable as processes data in the Cybereason platform, such as registry data for non-autorun entries.
This feature is disabled by default. Contact Technical Support to configure your server and Sensors to support this feature.
Remote Shell utility requirements
To use the Remote Shell utility, you must meet the following requirements:
Requirement |
Details |
|---|---|
Operating system |
A sensor installed on a machine running Windows 7 or higher or any supported version of Linux. |
Required packages |
If you use the Remote Shell on a Linux machine, ensure that /bin/bash is installed on the machines. |
PowerShell version |
The Remote Shell utility supports different PowerShell versions depending on the Remote Shell mode you select.
|
Cybereason role |
A user admin must assign you one of the proper roles:
If you remove the relevant Responder role for a user, this update takes effect only after the Remote Shell utility session ends. Users with the System Admin role can view the logs containing the PowerShell commands and responses. |
Sensor Configuration |
Update the sensor using these steps:
|
Network connection |
Ensure that your network is not a public network. Due to PowerShell limitations, restricted Remote Shell does not work if your network is set to a Public network. |
Note
If you perform any updates for a user, such as changing their role or enabling Remote Shell for the server or for a sensor, the user must refresh their browser window to see the Remote Shell button and use the Remote Shell utility.
Remote Shell security safeguards
As the Remote Shell feature enables you to perform operations directly on a machine in your environment and change information on that machine, Cybereason has added certain safeguards to ensure your machines, servers, and environment are kept safe from inappropriate use of the utility.
Safeguard |
Description |
|---|---|
Configuration |
When preparing your sensors and server to use the Remote Shell utility, configure the following items:
|
User Access |
Only the users with the Responder L1, Responder L2, or Local Responder/Local Analyst roles have access to the Remote Shell utility. |
Command Usage |
In Restricted mode, the number of commands you can use is limited. |
Machine Access from the Cybereason UI |
If you perform any browser action while in a tab showing the Cybereason UI or have a period of inactivity, the connection between the Cybereason server and the machine is immediately terminated. |
Assign the Responder role
Before you begin, ensure that a user admin for your Cybereason platform assigns one of the following roles:
Responder L1
Responder L2
Local Responder AND Local Analyst (available in environments with sensor grouping enabled)
Note
You cannot assign both the Local Responder or Local Analyst roles and Responder L1/L2 role to one user. Additionally, users with the Local Responder role must also have the Local Analyst role assigned so they can access the screens needed to start a Remote Shell session.
User admins must enable Two-factor authentication (TFA) for to use the Remote Shell utility in Unrestricted mode.
Note
If your Cybereason user account is set to use SSO, the option to enable two-factor authentication (TFA) is not available.
Use the Remote Shell utility
You can access the Remote Shell utility from the Malop Details or Element Details screens. The utility uses its own windows which open a shell interface on the selected machine. This utility tries to replicate the user experience of the PowerShell IDE that is commonly used for incident response.
Ensure that the Remote Shell utility is enabled on your servers and sensors. Contact Technical Support to set the Remote Shell configuration for your server and make sure you enable the Remote Shell on individual sensors in the System > Sensors screen.
Note
If you want to use Unrestricted mode for Remote Shell, you must first enable Remote Shell utility and then enable Unrestricted mode separately. Open a support ticket with Technical Support to enable the Remote Shell utility and Unrestricted mode.
Log out and log in to the Cybereason platform using two-factor authentication.
If needed, isolate the machine for remediation. For details on isolation, see Isolate Machines.
In the Malop Details or Investigation screens, click Remote Shell.
In the Remote Shell utility dialog box, in the dropdown list, select the machine.
An individual machine with a sensor can have one Remote Shell connection active at a time. However, as an analyst on the Cybereason platform, you can open multiple Remote Shell utility sessions for multiple machines.
Note
Offline machines are greyed out in the dialog.
At the bottom of the dialog, in the Select the Remote Shell mode section, select the mode to use:
If you selected Unrestricted mode, enter your two-factor authentication code.
Note
If your user administrator has enabled SSO for your user account, you do not need to enter a two-factor authentication code and the field to enter the two-factor authentication mode does not display.
The Remote Shell command line utility opens:
Note
Depending on your available network bandwidth, the start of the Remote Shell session on the machine may take a few seconds. In environments with low bandwidth, this session start may take more than 15 seconds.
By default, the command line begins at C:.
If there are errors, view the error message at the top of the Remote Shell window for details.
Enter PowerShell commands as needed to perform remediation and investigation.
When running the Remote Shell utility in Restricted mode, you can run only selected commands. For details on the supported commands, see Supported Commands for Remote Shell.
When running the Remote Shell utility in unrestricted mode, you can run any commands.
Your Cybereason WebApp server saves a record of all commands used and responses to the server logs. Users with the System Admin role can retrieve these logs after a session is complete. Sensor logs note any connections to the machine from the Remote Shell utility and system changes such as file modification, etc.).
Note
The commands and logs of the commands are not localized.
On some Linux operating systems, certain CTRL + operations (such as CTRL-C, CTRL-V and so forth) are not supported for use with the Remote Shell utility that runs in your browser.
Your server also adds the Remote Shell session to the syslog.
After you have finished, click End Session to disconnect from the utility. The connection displays as offline and you can navigate to other parts of the Cybereason UI as needed.
If you perform other common browser operations, such as closing the browser tab or window, navigating to the previous screen or a different URL, or navigating to another part of the Cybereason UI, your Cybereason server prompts you if you want to end the session.
If the machine or utility loses connection during the session, click Reconnect to reestablish the connection. You must manually initiate the reconnection as your Cybereason server will not automatically try to reconnect.
If the session ends due to a network disconnection, it may take up to 5 minutes to reestablish a new session with the specific machine.
Note
If there is no activity on the Remote Shell utility for 5 minutes, your Cybereason server ends the Remote Shell utility session.
Remote Shell utility window
The Remote Shell utility window provides many options to assist your remediation efforts. Use any of these options to help investigate on a given machine:
Area |
Description |
|---|---|
Status bar |
Details on the session include the name of the machine to which the utility connected and the status of the connection and utility. You can click the machine name in the status bar to close or reopen a session. |
Command line interface |
The area to enter commands to run on the remote machine. This window supports standard PowerShell command line shell text entry. In addition, the utility enables you to cut and paste commands from other windows on your machine. As you type and receive responses, the utility saves the history of the commands used and the responses. If the connection to the machine stops, the utility keeps the history until you reconnect and close the window. |
Element details |
The Remote Shell window displays a number of details about the machine and the sensor, including:
This data reflects data collected by your Detection Servers, not the Remote Shell utility. |
Session management toolbar |
Enables you to manage the remote session. If the connection or the utility disconnects, click Reconnect to try to reestablish the connection. Click End Session to end the session, close the utility, and end the connection to the remote machine. |
Remote Shell usage errors
Since the Remote Shell utility uses a remote connection from your Cybereason server to a machine, you may encounter errors when using this utility. The utility displays these errors in the header of the utility window, but use the workarounds to help you continue working with the utility.
Error |
Cause |
Workaround |
|---|---|---|
Connection to remote machine unexpectedly terminated |
The sensor is not connected to the network |
Ensure that your sensor is running correctly and connected to your network. |
Remote PowerShell utility unexpectedly terminated |
The Remote Shell utility crashed or exited |
Click Reconnect to reestablish the connection or restart your sensor. |
Failed connecting to remote machine |
The Remote Shell utility did not start |
Click Reconnect again. |
The probe on the remote machine cannot support the requested operation or initialize the connection |
There are multiple causes:
|
Do one of the following depending on the issue:
|
The Remote machine is unreachable |
The Remote Shell utility could not connect to the sensor machine |
Verify that your sensor is running correctly and connected to the network. |
Session already open against this endpoint |
The sensor already has an active Remote Shell utility session open for the machine |
Wait until the previous session finishes and try again. |
Internal server error |
The server encountered an error opening up a Remote Shell session to the machine |
Click Reconnect to reestablish the session. |
Remote Shell utility screen closed after 5 minute threshold of inactivity |
There was no interaction between your Cybereason server and the Remote Shell utility for at least five minutes |
Click Reconnect to reestablish the connection. |