Access the Response Tools

Tools Available in Cytomic Orion

Remote Management Tools

  • Isolate computer: Restricts the network traffic sent to or received by a computer to prevent the spread of threats to other computers and the exfiltration of confidential information.

  • Restart computer: Forces a computer to restart.

Remote Access Tools

General menu for accessing the remote access tools

  • Remote command line: Remote shell with administrator permissions. It enables you to perform operations on the target computer file system and run programs on the computer.

  • Process manager: Shows a list of running processes on the target computer and enables you to stop them.

  • Service manager: Shows a list of installed services on the target computer and enables you to start and stop them.

  • File transfer: Enables you to send and receive files to and from the target computer.

  • Command line tools: Set of programs accessible from the remote command line. These programs are intended to collect information to enhance investigations, recover data for forensic analysis, and remedy security breaches:

    • delete: Deletes files from the target computer hard disk.

    • dump: Dumps the memory assigned to processes to disk.

    • netinfo: Shows information about network interfaces.

    • pcap: Captures network packets and dumps them to the computer hard disk.

    • ports: Shows processes with open ports on the computer.

    • process: Shows the processes loaded in memory and their modules.

    • url: Shows a history of all URLs opened from the computer browser.

Access the Response Tools

You can access all remediation tools in Cytomic Orion from the entities of interest associated with an investigation (for more information, see Entities of Interest Panel).

Access the response tools from the Entities of Interest sub-panel

To run a response tool:

  • In the top menu, select Investigations. Select the investigation whose computer you want to investigate.

  • In the Entities of interest sub-panel, find the Computer-type entity to which you want to connect to resolve the incident.

  • From the entity context menu, select one of these options: Isolate computer, Stop isolating computer, Restart computer, and Remote access to computer. A confirmation message opens.

  • Click Yes. A connection message opens. Next, the analyst console shows the available response tools (Process manager, Service manager, and File transfer) and the command line interface connected to the remote computer. (See figure General menu for accessing the remote access tools).

  • To access the response tools, run the rt command from the command line. A menu opens that shows the available actions and the parameters you can use.

  • To close the connection to the remote computer, click the icon in the upper-right of the connection window (1 in figure General menu for accessing the remote access tools).