Initiate a Live Terminal Session from Traps Management Service

Initiate a Live Terminal Session from Traps Management Service to manage the endpoint remotely.
To investigate and respond to security events on Windows endpoints, you can use the
Live Terminal
to initiate a remote connection to an endpoint. Live Terminal enables you to manage remote endpoints. Investigative and response actions that you can perform include the ability to navigate and manage files in the file system, manage active processes, and run Windows or Python commands.
Live Terminal is supported for endpoints that meet the following requirements:
  • Traps 6.1 or a later release
  • Windows 7 SP1 or a later release
  • Windows update patch for WinCRT (KB 2999226)—To verify the Hotfixes that are installed on the endpoint, run the
    systeminfo
    command from a command prompt.
  • Endpoint activity was reported within the last 90 minutes (as identified by the
    Last Seen
    timestamp in the endpoint details).
If the endpoint supports the necessary requirements, you can initiate a Live Terminal session from the
Endpoints
page. You can also initiate a Live Terminal as a response action from a security event. If the endpoint is inactive or does not meet the requirements, the option is disabled.
After you terminate the Live Terminal session, you also have the option to save a log of the session activity. All logged actions from the Live Terminal session are available for download as a text file report when you close the live terminal session.
  1. Start the session.
    From a security event or endpoint details, select
    Actions
    Initiate Live Terminal
    . It can take the Traps agent a few minutes to facilitate the connection.
  2. Use the Live Terminal to investigate and take action on the endpoint.
  3. When you are done,
    Disconnect
    the Live Terminal session.
    You can optionally save a session report containing all activity you performed during the session.
    The following example displays a sample session report:
    Live Terminal Session Summary Initiated by user username@paloaltonetworks.com on target TrapsClient1 at Jun 27th 2019 14:17:45 Jun 27th 2019 13:56:13 Live Terminal session has started [success] Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success] Jun 27th 2019 14:11:46 Live Terminal session end request [success] Jun 27th 2019 14:11:47 Live Terminal session has ended [success] No artifacts marked as interesting

Manage Processes

From the
Live Terminal
you can monitor processes running on the endpoint. The Task Manager displays the task attributes, owner, and resources used. If you discover an anomalous process while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running.
  1. From the Live Terminal session, open the Task Manager to navigate the active processes on the endpoint.
    You can toggle between a sorted list of processes and the default process tree view ( tree-view.png ). You can also export the list of processes and process details to a comma-separated values file.
    If the process is known malware, the row displays a red indicator and identifies the file using a
    malware
    attribute.
  2. To take action on a process, right-click the process:
    • Terminate process
      —Terminate the process or entire process tree.
    • Suspend process
      —To stop an attack while investigating the cause, you can suspend a process or process tree without killing it entirely.
    • Resume process
      —Resume a suspended process.
    • Open in VirusTotal
      —VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.
    • Get WildFire verdict
      —WildFire evaluates the file hash signature to compare it against known threats.
    • Get file hash
      —Obtain the SHA256 hash value of the process.
    • Download Binary
      —Download the file binary to your local host for further investigation and analysis.
    • Mark as Interesting
      —Add an Interesting tag to a process to easily locate the process in the session report after you end the session.
    • Remove from Interesting
      —If no threats are found, you can remove the Interesting tag.
    • Copy Value
      —Copy the cell value to your clipboard.
  3. Select
    Disconnect
    to end the
    Live Terminal
    session.
    Choose whether to save the remote session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Manage Files

The
File Explorer
enables you to navigate the file system on the remote endpoint and take remedial action to:
  • Create, manage (move or delete), and download files, folders, and drives, including connected external drives and devices such as USB drives and CD-ROM.
    Network drives are not supported.
  • View file attributes, creation and last modified dates, and the file owner.
  • Investigate files for malicious content.
To navigate and manage files on a remote endpoint:
  1. From the Live Terminal session, open the
    File Explorer
    to navigate the file system on the endpoint.
  2. Navigate the file directory on the endpoint and manage files.
    To locate a specific file, you can:
    • Search for any filename rows on the screen from the search bar.
    • Double click a folder to explore its contents.
  3. Perform basic management actions on a file.
    • View file attributes
    • Rename files and folders
    • Export the table as a CSV file
    • Move and delete files and folders
  4. Investigate files for malware
    Right-click a file to take investigative action. You can take the following actions:
    • Open in VirusTotal
      —VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.
    • Get WildFire verdict
      —WildFire evaluates the file hash signature to compare it against known threats.
    • Get file hash
      —Obtain the SHA256 hash value of the file.
    • Download Binary
      —Download the file binary to your local host for further investigation and analysis.
    • Mark as Interesting
      —Add an Interesting tag to any file or directory to easily locate the file. The files you tag are recorded in the session report to help you locate them after you end the session.
    • Remove from Interesting
      —If no threats are found, you can remove the Interesting tag.
    • Copy Value
      —Copies the cell value to your clipboard.
  5. Select
    Disconnect
    to end the live terminal session.
    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Run Windows Commands

The Live Terminal provides a command-line interface from which you can run Windows commands on a remote endpoint. Each command runs independently and is not persistent. To chain multiple commands together so as to perform them in one action, use
&&
to join commands. For example:
cd c:\windows\temp\ && <command1> && <command2>
You cannot run GUI-based cmd commands like
winver
or
appwiz.cpl
  1. From the Live Terminal session, select
    Command Line
    .
    remote-cmd.png
  2. Run commands to manage the endpoint.
    Examples include file management or launching batch files. You can enter or paste the commands, or you can upload a script. After you are done, you can save the command session output to a file.
  3. When you are done,
    Disconnect
    the Live Terminal session.
    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Run Python Commands and Scripts

The Live Terminal provides a Python command line interface that you can use to run Python commands and scripts.
The Python command interpreter uses Unix command syntax and supports Python 3 with standard Python libraries. To issue Python commands or scripts on the endpoint, follow these steps:
  1. From the Live Terminal session, select
    Python
    to start the python command interpreter on the remote endpoint.
  2. Run Python commands or scripts as desired.
    You can enter or paste the commands, or you can upload a script. After you are done, you can save the command session output to a file.
  3. When you are done,
    Disconnect
    the Live Terminal session.
    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Related Documentation