Skip to main content

CLOUD SOLUTIONS

Starting a Remote Shell session

GravityZone XDR provides interactive shell functionality that enables you to connect remotely to an endpoint involved in an incident under investigation and open a remote shell session to run shell commands directly on the endpoint's operating system, to either mitigate threats instantly or collect forensic data for further analysis.

remoteConnection.png
  1. Select one or more managed endpoints and click the Remote Shell button to open the Remote Shell Connection page in a new browser tab.

    Note

    If the button is inactive, see Remote Shell session prerequisites.

    If you want to start Remote Shell connections on multiple endpoints, make sure you allow pop-ups for gravityzone.bitdefender.com.

  2. In the Remote Shell Connection page you need to enter the 2FA code generated from your authenticator app, to activate the Start session button.

    RemoteShellConnection2faReq.png
  3. Once active, click the Start session button to start the remote shell session on the target endpoint.

    remoteConnection.png

    Once the connection is established, you will be logged in as user with "root" privileges, capable to perform a wide array of forensic actions and methods to investigate suspicious behavior or mitigate threats.

    remoteShellActions.png

    Note

    All session logs are recorded and the entire output will be available for download at the end of the session.

  4. When done investigating, click the End session button to close the remote connection, or close the session's browser tab.

    remoteSessionEnded.png
  5. After ending the current session you can click the Download audit log button to get the logs of the remote shell session you just ended, or you can start a new remote session.

    1. When you click Download audit log, GravityZone will start compiling a zip file with all the session logs. This action may take a couple of minutes to complete, depending on the size of the archive. All session details are also available in the User activity log.

      Note

      The session's logs are saved by default in a raw format. For easier reading, unzip the file and use one of these tools:

      • For logs from Windows OS endpoints, run this command in PowerShell:

        Get-Content <filePath> -Wait (use the file path and name of the log file)

        Example: Get-Content "C:\Users\Documents\sessionLogs.txt" -Wait

      • For logs from Linux and macOS endpoints, run this command in the terminal:

        less <filePath> (use the file path and name of the log file)

        Example: less /home/user/sessionLogs.txt

    2. When you click Start a new session you will be required again to enter an authentication code before starting a new session.

Note

If you encounter any issues with the Remote Shell feature, refer to XDR Remote Shell Troubleshooting.