Views:

Use the available remote shell commands to investigate Windows endpoints.

Note
Note
When specifying a file location, be aware that UNC paths are not supported.
Command
Description
Syntax
Example
Supported on
cat
Output the content of the selected file (max size 1MB)
cat <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads):
    Downloads>cat example.txt
  • To output the content of the example.txt file located in the C:\temp directory:
    Downloads>cat c:\temp\example.txt
  • XDR Endpoint Sensor
cd
Change the current working directory
cd <path>
Note
Note
For the <path>, specify the absolute or relative path.
cd C:\
  • XDR Endpoint Sensor
clear
Clear screen
clear
clear
  • XDR Endpoint Sensor
cp
Copy a file or directory to specific destination
cp <source_object> <destination_object> [--force]
Note
Note
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
  • Use the --force parameter to overwrite existing objects.
  • To copy the Finances directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:
    Downloads>cp Finances C:\example --force
  • To copy the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:
    Downloads>cp C:\Users\Administrator\Downloads\example.txt C:\temp --force
  • XDR Endpoint Sensor
env
List environment variables
env
env
  • XDR Endpoint Sensor
fileinfo
List detailed file properties
fileinfo <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads):
    Downloads>fileinfo example.txt
  • To list the file properties of the example.txt file located in the C:\temp directory:
    fileinfo C:\temp\example.txt
  • XDR Endpoint Sensor
get
Collect a specific file and upload to Trend Vision One
Maximum file size: 4 GB
get <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
This command does not support collecting protected Windows files.
WARNING
WARNING
Downloading suspicious samples may potentially harm your endpoint. Ensure that you take the necessary precautions before continuing. Trend Vision One automatically stores the collected samples in a password-protected ZIP archive.
  • To collect the file example.txt file in the current directory (C:\Users\Administrator\Downloads):
    Downloads>get example.txt
  • To collect the file example.txt file located in the C:\temp directory:
    get C:\temp\example.txt
  • To collect a protected Windows file in a System folder with write access, try to use the cp command to copy the file outside of the System folder and then use the get command.
  • XDR Endpoint Sensor
group list
List local group information
group list
group list
    help
    Display help information
    help
    help
    • XDR Endpoint Sensor
    ipconfig
    Display network configuration information
    ipconfig
    ipconfig
    • XDR Endpoint Sensor
    kill
    Terminate a running process
    kill <PID>
    Important
    Important
    You cannot use the kill command to terminate Trend Micro processes.
    kill 1234
    • XDR Endpoint Sensor
    listenports
    List listening ports
    listenports
    listenports
      ls
      List contents of the directory
      ls [path]
      Note
      Note
      For the <path>, specify the absolute or relative path.
      ls
      • XDR Endpoint Sensor
      memdump
      Create a process memory dump available as an encrypted archive from the Trend Vision One console
      memdump [--ma] [--mm] --pid <pid>
      --ma: Creates a full process memory dump.
      -mm: Create a mini process memory dump.
      --pid: Required parameter to specify process ID <pid>
      Note
      Note
      memdump does not support dumping system processes or creating dump files larger than 4GB.
      memdump --mm --pid 1234
      • XDR Endpoint Sensor
      mkdir
      Create a new directory
      mkdir <path>
      Note
      Note
      For the <path>, specify the absolute or relative path.
      • To create the temporary directory in the current directory (C:\Users\Administrator\Downloads):
        Downloads>mkdir temporary
      • To create the temporary directory in the C:\temp directory:
        Downloads>mkdir C:\temp\temporary
      • XDR Endpoint Sensor
      mv
      Move a file or directory to specific destination
      mv <source_object> <destination_object> [--force]
      Note
      Note
      • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
      • Use the --force parameter to overwrite existing objects.
      • To move the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:
        Downloads>mv temporary C:\example --force
      • To move the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:
        Downloads>mv C:\Users\Administrator\Downloads\example.txt C:\temp --force
      • XDR Endpoint Sensor
      netstat
      List network statistics and active connections
      netstat
      netstat
      • XDR Endpoint Sensor
      ps
      List running process information
      ps
      ps
      • XDR Endpoint Sensor
      pwd
      Display current directory
      pwd
      pwd
      • XDR Endpoint Sensor
      reg query
      List registry information
      reg query <key> [--value=<value_name>]
      • To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:
        C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
      • To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:
        C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details
      • XDR Endpoint Sensor
      rm
      Delete a file or directory (and all sub-directories)
      rm <source_object> [--force]
      Note
      Note
      • For the <source_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
      • Use the --force parameter to delete objects configured as read only.
      • To delete the temporary directory in the current directory (C:\Users\Administrator\Downloads) and all read-only objects:
        Downloads>rm temporary --force
      • To delete the example.txt file in the directory C:\Users\Administrator\Downloads:
        Downloads>rm C:\Users\Administrator\Downloads\example.txt
      • XDR Endpoint Sensor
      run
      Execute a previously uploaded script
      run <script_name_and_extension> [arguments]
      run demo.ps1 1 "22 33" 44
      • XDR Endpoint Sensor
      scheduletasks
      List scheduled tasks
      scheduletasks
      scheduletasks
        service list
        List service information
        service list
        service list
        • XDR Endpoint Sensor
        systeminfo
        List system information
        systeminfo
        systeminfo
        • XDR Endpoint Sensor
        taskstatus
        List status of response tasks created in the current session
        taskstatus [--id=<task_id>]
        <task_id>: Optional parameter to specify the identifier of the response task.
        taskstatus [--id=RM-20241207-00025]
        • XDR Endpoint Sensor
        user info
        List account properties
        user info <username>
        user info john_doe
        • XDR Endpoint Sensor
        user list
        List local user accounts
        user list
        user list
        • XDR Endpoint Sensor
        zip
        Compress a file or directory in a zip archive and optionally encrypt the archive with a password
        zip <source_object1> [<source_object2...> <source_objectn>] <destination_object> [--password <password>] [--force]
        Note
        Note
        • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
        • Use the --force parameter to overwrite existing objects.
        • To zip the contents of the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example\directoryArchive.zip, set the password to P@ssw0rd and overwrite the existing file:
          Downloads>zip temporary C:\example\directoryArchive.zip --password P@ssw0rd --force
        • To zip the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp\exampleArchive.zip and overwrite the existing file:
          Downloads>zip C:\Users\Administrator\Downloads\example.txt C:\temp\exampleArchive.zip --force
        • XDR Endpoint Sensor