Remote Shell Utility Use-Case - Unrestricted Mode

The following is a sample use case for how to use the Remote Shell utility in Unrestricted mode. The Remote Shell utility enables you to respond to and remediate malicious activity and MalOps on a single machine.

As an analyst, you want to download a script from the internet and run it using the Remote Shell.

Starting from the Cybereason UI, from the MalOp Details screen, you click Remote Shell. You are then prompted to select your machine:

Choose a machine for the Remote Shell utility

You also enter your two-factor authentication code.

The Remote Utility screen opens directly in the Cybereason platform screen.

At first, the command line window is empty, without a cursor. This is because your Cybereason server is establishing the connection between itself and the machine and the connection:

The Remote Shell command window

Once the status at the top of the window changes to Online, the cursor appears and the command line is ready to use.

The Remote Shell command window

To download the script, you run the following command:

Invoke-WebRequest -Uri $url -OutFile $output" (For example : Invoke-WebRequest -Uri "https://www.robvanderwoude.com/files/memory_ps.txt" -OutFile "script.ps1

In addition, you run the following command to enable script execution (a PowerShell requirement):

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Then, you run the downloaded script using regular PowerShell execution. The script runs and the results return automatically.

If necessary, you can run the following command to block script execution when you are finished:

Set-ExecutionPolicy Restricted

In addition, you would like to take a memory dump from the machine to investigate more. Run the following command:

Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 6840 c:\\Temp\\my_dump_file.bin mini

The Remote Shell utility performs the memory retrieval and saves the information to the specified file (my_dump_file.bin).