3.12. Response Control¶
3.12.1. Opening a Remote Shell on an endpoint¶
In order to open a remote shell on an endpoint, open the Asset Management section and click the "command line" button in the Actions column.
Depending on your configuration it may take between 10 seconds and 10 minutes for the remote shell to open. Please note that all actions within the remote shell are recorded and can be audited. All shells open with root or system privileges.
In order to replay a remote console session, navigate to
expand the task that represents your session, select the
Console Log tab
and click the play button in the bottom row.
ASGARD users can only see their own remote shell session. Only users with
RemoteConsoleProtocol permission are able to replay all sessions from all users.
3.12.2. Response Control with Pre-Defined Playbooks¶
In addition to controlling THOR scans, ASGARD Management Center contains extensive response functions. Through ASGARD, you can start or stop processes, modify and delete files or registry entries, quarantine endpoints, collect triage packages and execute literally any command on connected systems. All with one click and executed on one endpoint or groups of endpoints.
It is also possible to download specific suspicious files. You can transfer a suspicious file to the ASGARD Management Center and analyze it in a Sandbox.
To execute a predefined response action on a single endpoint, navigate to the Asset Management view and click the "play" button in the Actions Column. This will lead you to a dialogue where you can select the desired action.
In this example, we collect a full triage package.
ASGARD ships with pre-defined playbooks for the following tasks:
- Collect ASGARD Agent Log
- Create and Collect Aurora Agent Diagnostics Pack (Windows only)
- Collect full triage pack (Windows only)
- Isolate endpoint (Windows only)
- Collect system memory
- Collect file / directory
- Collect directory
- Collect Aurora diagnostics pack
- Execute command and collect stdout and stderr
Nextron provides additional playbooks via ASGARD updates.
The collection of memory can set the systems under high load and impacts the systems response times during the transmission of collected files. Consider all settings carefully! Also be aware that memory dumps may fail due to kernel incompatibilities or conflicting security mechanisms. Memory dumps have been successfully tested on all supported Windows operating systems with various patch levels. The memory collection on Linux systems depends on kernel settings and loaded modules, thus we cannot guarantee a successful collection. Additionally, memory dumps require temporary free disk space on the system drive and consume a significant amount of disk space on ASGARD as well. The ASGARD agent checks if there is enough memory on the system drive and adds a 50% safety buffer. If there is not enough free disk space, the memory dump will fail.
3.12.3. Response Control for Groups of Systems¶
Response functions for groups of systems can be defined in the
tab or the
New Scheduled Group Task tab.
3.12.4. Response Control with Custom Playbooks¶
You can add your own custom playbook by clicking the
Add Playbook button in the
Response Control >
This lets you define a name and a description for your playbook. After clicking
Add Playbook button, click on the
Edit steps of this playbook action.
This opens the side pane in which single playbook steps
can be added using the
Add Step button.
If you need custom files for your playbook (scripts, configurations, binaries, etc.)
you can select local files to be uploaded to ASGARD during the creation of the playbook
step (by selecting "Upload New File" in the file drop-down). You can manage these
Response Control >
Playbook Files and upload or update files using
Upload Playbook File button.
You can have up to 16 steps in each playbook that are executed sequentially. Every step can be either "download something from ASGARD to the endpoint", "execute a command line" or "upload something from the endpoint to ASGARD". If you run a command line the stdout and stderr are reported back to ASGARD.
3.12.5. Change the Asset(s) Proxy¶
You can change the Proxy Settings on your Assets via the Response Control.
To do this, select the asset(s) and click
Add Task in the top right corner.
Next, set the Module to
Maintenance and the Maintenance Type to
Configure the asset's proxy. You can now set your proxy. Multiple proxies
can be set, though only one FQDN/IP-Address per field can be set.