3.12. Response Control

3.12.1. Opening a Remote Shell on an endpoint

In order to open a remote shell on an endpoint, open the Asset Management section and click the "command line" button in the Actions column.

Opening a Remote Shell from the Asset View

Opening a Remote Shell from the Asset View

Depending on your configuration it may take between 10 seconds and 10 minutes for the remote shell to open. Please note that all actions within the remote shell are recorded and can be audited. All shells open with root or system privileges.

Remote Shell

Remote Shell

In order to replay a remote console session, navigate to Response Control, expand the task that represents your session, select the Console Log tab and click the play button in the bottom row.

Replay Remote Shell Session

Replay Remote Shell Session

ASGARD users can only see their own remote shell session. Only users with the RemoteConsoleProtocol permission are able to replay all sessions from all users.

3.12.2. Response Control with Pre-Defined Playbooks

In addition to controlling THOR scans, ASGARD Management Center contains extensive response functions. Through ASGARD, you can start or stop processes, modify and delete files or registry entries, quarantine endpoints, collect triage packages and execute literally any command on connected systems. All with one click and executed on one endpoint or groups of endpoints.

It is also possible to download specific suspicious files. You can transfer a suspicious file to the ASGARD Management Center and analyze it in a Sandbox.

Built-in Playbooks

Built-in Playbooks

To execute a predefined response action on a single endpoint, navigate to the Asset Management view and click the "play" button in the Actions Column. This will lead you to a dialogue where you can select the desired action.

Execute Playbook on Single Endpoint

Execute Playbook on Single Endpoint

In this example, we collect a full triage package.

ASGARD ships with pre-defined playbooks for the following tasks:

  • Collect ASGARD Agent Log
  • Create and Collect Aurora Agent Diagnostics Pack (Windows only)
  • Collect full triage pack (Windows only)
  • Isolate endpoint (Windows only)
  • Collect system memory
  • Collect file / directory
  • Collect directory
  • Collect Aurora diagnostics pack
  • Execute command and collect stdout and stderr

Nextron provides additional playbooks via ASGARD updates.

Warning

The collection of memory can set the systems under high load and impacts the systems response times during the transmission of collected files. Consider all settings carefully! Also be aware that memory dumps may fail due to kernel incompatibilities or conflicting security mechanisms. Memory dumps have been successfully tested on all supported Windows operating systems with various patch levels. The memory collection on Linux systems depends on kernel settings and loaded modules, thus we cannot guarantee a successful collection. Additionally, memory dumps require temporary free disk space on the system drive and consume a significant amount of disk space on ASGARD as well. The ASGARD agent checks if there is enough memory on the system drive and adds a 50% safety buffer. If there is not enough free disk space, the memory dump will fail.

3.12.3. Response Control for Groups of Systems

Response functions for groups of systems can be defined in the Group Tasks tab or the New Scheduled Group Task tab.

Execute Playbook on Group of Endpoints

Execute Playbook on Group of Endpoints

3.12.4. Response Control with Custom Playbooks

You can add your own custom playbook by clicking the Add Playbook button in the Response Control > Playbooks tab.

Add Custom Playbook

Add Custom Playbook

This lets you define a name and a description for your playbook. After clicking the Add Playbook button, click on the Edit steps of this playbook action.

Playbook Action Items

Playbook Action Items

This opens the side pane in which single playbook steps can be added using the Add Step button.

Add Playbook Entry

Add Playbook Entry

If you need custom files for your playbook (scripts, configurations, binaries, etc.) you can select local files to be uploaded to ASGARD during the creation of the playbook step (by selecting "Upload New File" in the file drop-down). You can manage these files at Response Control > Playbook Files and upload or update files using the Upload Playbook File button.

Manage Playbook Files

Manage Playbook Files

You can have up to 16 steps in each playbook that are executed sequentially. Every step can be either "download something from ASGARD to the endpoint", "execute a command line" or "upload something from the endpoint to ASGARD". If you run a command line the stdout and stderr are reported back to ASGARD.

3.12.5. Change the Asset(s) Proxy

You can change the Proxy Settings on your Assets via the Response Control. To do this, select the asset(s) and click Add Task in the top right corner. Next, set the Module to Maintenance and the Maintenance Type to Configure the asset's proxy. You can now set your proxy. Multiple proxies can be set, though only one FQDN/IP-Address per field can be set.

Change/Set an assets Proxy

Change/Set an assets Proxy