Malwarebytes Endpoint Detection and Response includes Active Response Shell which provides the ability to investigate attacks, collect forensic data, and remediate detections on remote endpoints. Authorized Super Admins can securely access their endpoints remotely with Malwarebytes Nebula.
To configure Active Response Shell, see Configure Active Response Shell in Nebula.
Requirements
- Super Administrator permissions.
- An active Endpoint Detection & Response subscription or trial.
- Two-factor authentication or SSO enabled for Super Admin accounts.
- The Nebula Account Owner must assign Active Response Shell permission to selected Super Admins or optionally to the owner account. For more information, see Manage Users in Nebula.
- Active Response Shell enabled in each Endpoint Detection and Response policy, which enables the setting for any Group assigned that policy.
- Remote endpoints cannot be behind a proxy. This is a known issue that being investigated.
Access Active Response Shell
Active Response Shell is accessed through the Endpoints page and the Suspicious Activity page in Malwarebytes Nebula.
To access on the Endpoints page:
- On the left navigation pane, go to Manage > Endpoints.
- Select an endpoint or click the endpoint name, then click Actions.
- Click Launch Active Response Shell.
To access on the Suspicious Activity page:
- On the left navigation pane, go to Investigate > Suspicious Activity.
- Choose a suspicious detection and on the Actions menu, click Launch Active Response Shell.
- Or click a suspicious detection name. On the details page, click Actions.
- Click Launch Active Response Shell.
To access on the Flight recorder page:
- On the left navigation pane, go to Investigate > Flight Recorder.
- Enter your search parameters and click Search.
- Select an endpoint, then click Actions.
- Click Launch Active Response Shell.
Active Response Shell commands
| Command | Description |
| ? | Print remote shell help. |
| cd | Change directory or move to a specific folder. |
| copy | Copy a single file. |
| datetime | Show local date and time. |
| del |
Delete one or more files. |
| dir | Display the list of files and folders. |
| dump | Dump binary files in hex values. |
|
exec |
Execute process. Command shell is launched:
|
|
get |
Retrieve a specific file from the host machine. |
|
md |
Create directory. |
|
move |
Rename or move a file. |
|
put |
Upload a file to the host machine. |
|
quit |
Terminate active response shell. |
|
reg |
Performs operations on registry subkey, information, and values in the registry. |
|
sandbox |
Upload file to Sandbox Analysis. |
|
sc |
Performs operations with the Service Control Manager. |
|
systeminfo |
Displays operating system information for a local or remote machine. |
|
taskkill |
Terminate one or more processes from PID or process name. |
|
tasklist |
Display the list of the active processes. |
|
timeliner |
Execute Malwarebytes Forensics Timeliner. |
|
type |
Displays the contents of a text file or files. |
|
unzip |
Unzip archived folder. |
|
zip |
Compress a list of files and folders in a ZIP archive. |
Return to the Malwarebytes Nebula Administrator Guide.