The commands listed in the following table are supported by Live Response.
Live Response supports the keyboard paste option. Use ctrl+v
or cmd+v
to paste into the terminal.
Command | Description |
---|---|
cd [dir] | Change the current working directory. Options include absolute, relative, drive-specific, and network share paths. |
clear | Clear the console screen; you can also use the cls command for this purpose. |
delete [path] | Delete the file specified in the path argument. The file is permanently deleted; it is not sent to the Recycle Bin. |
detach | Detach from the current Live Response session. If a session has no attachments, it remains live until it times out (five minutes by default). The same action is performed by the End my session button. |
detach -q | Terminate the current Live Response session. If a session has other users attached, these users will also be detached from the session. |
dir | Return a list of files in the current directory. |
drives | List the drives on the remote endpoint. This is for Windows only. |
exec [processpath] | Execute a background process specified in the processpath argument on the current remote endpoint. By default, process execution returns immediately and output is to stdout and stderr.
|
execfg | Execute a process on the current remote endpoint and return stdout/stderr.
|
get [path] | Obtain the file that is specified in the path argument from the remote endpoint and download it to the local endpoint. |
help | Show the Live Response session commands with a brief description of each. If a command name is added, show the description of the specified command, with additional details (such as options) if available.
|
kill | Terminate the specified process. For example:
Note: You can use the
ps command to get a list of the pid numbers that you can use with this command.
|
memdump [filepath] | Take a kernel memory dump and store it to the given file path, which must include a file name. Starting with Windows sensor version 3.5.0.1523, memdump will generate a kernel memory dump (and user space, if kernel debugging is enabled). For information on enabling kernel debugging, see Microsoft's documentation. Memory dumps can take several minutes, and an (*) icon in the Live Response window indicates that it is still in progress. This is for Windows only. |
mkdir | Make a directory on the remote endpoint. |
ps or tasklist | Obtain a list of processes from the remote endpoint. Analysis information for a newly discovered process might not yet be fully committed to the Carbon Black Cloud database and therefore not viewable. |
put [remotepath] | Put a file from the local endpoint onto the remote endpoint at the specified path. You specify the file in the Open dialog of the browser, after the command is entered in Live Response. |
pwd | Print the current working directory. |
reg | View or modify Windows registry settings (Windows endpoints only). The syntax of this command is:
|