Connect to Endpoints
The security check function can only be used by users who have been assigned the security check function right. LiveResponse commands and usage rights assignment can be set in Command assignment method by authority.
- Click Analysis > Endpoints > Management. Click the IP you want to connect to. Live Response (security check) can only connect to running Endpoints.
- Click the Live Response icon in the upper right corner.
- The Possword Policies confirmation window appears, and input the Possword Policies of the currently logged in users.
- After checking the Possword Policies, a security check pop-up window appears, and when the connection is successful, the check pop-up window says "Agent connection was successful." A message is displayed, and the default path links to the agent installation path.
- When the inspection window is closed or the exit command is sent, the security inspection connection is terminated.
security check command
Supports Endpoints' process list check, specified extension search, and file collection. Detailed commands are as follows.
Basic commands
| command | Description |
|---|---|
| sendnow | Events that have not yet been sent, logs are sent to the server immediately. |
| help | Provides help for commands. |
| dir | Lists files and subdirectories in a directory. |
| cd | Shows or changes the current directory name. |
| cls | Clear the screen. |
| exit | End Live Response. |
| quicksearch | Retrieves a list of executables or files with the specified extension from the indexed DB. |
You can check the directory name by using the Tab key on the Live Response screen.
When you press the Tab key with only the cursor, commands that can be checked with help are displayed, and when you enter only a specific alphabet and press the Tab key, commands that can be executed with that alphabet are displayed.
Search for a specified extension
Note
- In order to search for an extension, you must enable indexing of the specified file list in the detailed Policy Settings of Policy > Group Policy Management, and the extension to be searched must be defined in the specified extension.
- Search is possible only for extensions that change from the time the policy is applied to the agent.
- If a search is required for all files that do not change, set File Crawling to Enabled in Policy Detailed Settings in Policy > Group Policy Management and turn on Executable Files, Documents/Compressed Files, and Specified Files Settings should be changed to
When using file crawling, it takes a lot of time to gather the entire list of files.
quicksearch command: Search the indexed DB for a list of executable files or files with a specified extension.
Supported file extensions: |.doc|.docx|.xls|.xlsx|.ppt|.pptx|.docm|.xlsm|.pptm|.hwp\ |.hwpx|.dwg| .pdf|.txt|.csv|.zip|.arj|.7z|.alz|.cab|.rar|.tar|.exe|.dll|.ocx|.scr|.sys|.com|.msi|.bat|.js|.vbs|.vbe|.ps1|.cmd|
Additional options can be found through the command help (quicksearch /?)
| command | Description | Usage Examples |
|---|---|---|
| quicksearch | Retrieves a list of files in the current path. | quicksearch doc_test.docx Search for the doc_test.docx file in the current path. |
| quicksearch file path file name | Retrieves a list of specific files in a specific path. | quicksearch c:\Temp\doc_test.docx Search for the doc_test.docx file in the c:\Temp\ path. |
| quicksearch /s file path file name | Retrieves a list of specific files from a specific path and its subpaths. | quicksearch /s doc_test.docx Search for the doc_test.docx file in the subpath that contains the current path. |
| quicksearch /a filename | Retrieves a list of specific files from the full path. | quicksearch /a doc_test.docx Search for the doc_test.docx file in the full path. |
| quicksearch /c file path file name | Retrieves the number of specific file listings in a specific path. | quicksearch /vc:\Temp\doc_test.docx Search the c:\Temp\doc_test.docx file to display the details. |
| quicksearch /v file path file name | Retrieves a detailed list of specific files in a specific path. | quicksearch /v /sc:\Temp<br> Retrieve a detailed list of files in the subdirectory containing c:\Temp. |
| quicksearch /p process name | Retrieves a list of files created by a specific process in the current path. | quicksearch /p winword.exe Retrieves a list of files created by the winword.exe process in the current path. |
Check Process
tasklist command: Lists all currently running tasks (including services).
Additional options can be found through the command help (tasklist /?)
| command | Description |
|---|---|
| tasklist | Displays a list of processes (image name, PID, session name, session, memory usage) |
| tasklist /v | Displays detailed job information. (Image Name,PID, Session Name, Session, Memory Usage, State, Username, CPU Time, Window Title) |
| tasklist /m module name | List all jobs using that exe/dll name. Lists all loaded tasks if no module name is specified. (If no pattern name is entered, image name, PID, and module information are displayed) |
| tasklist /svc | Displays the services hosted by each process. (image name, PID, service) |