Live Shell Connect for Windows

The Live Shell feature lets you run PowerShell remotely on the endpoints in your network.
Using Live Shell, you can:
  • Obtain more information from the endpoint.
  • Respond to attacks and perform certain kinds of remediation.
  • Run most PowerShell commands and scripts. NOTE: You cannot run commands that require input from the endpoint user.
Be aware of the following:
  • By default, Super Admins and Domain Admins have privileges to run Live Shell. Other analyst roles may be added in
    Settings > Administrator and Roles > Roles > [
    ] > Details
    . Scroll down to
    and select
    Live Shell
  • The Live Shell functionality must be turned on in the EDR Policy at
    Policies > Default Detection and Response Policy
    . In the policy, scroll down to
    Live Shell Configuration
    and turn on Live Shell.
  • When accessing the endpoint, you must use the Windows credentials appropriate for the endpoint, not the credentials for accessing the ICDM console.
  • PowerShell must be installed on the endpoint.
Using Live Shell
You initiate a Live Shell session from the
page. To run a Live Shell session, do the following:
  1. On the
    page click the blue link for the device on which you want to run Live Shell.
  2. On the
    Device Details
    page, click
    More Actions > Live Shell
  3. Enter the Windows credentials for the device and click
  4. In the terminal window enter and execute the PowerShell commands or script you want to run .
  5. When you're finished, close the terminal window.
Reviewing Live Shell session logs
Every Live Shell session is logged and the log can be downloaded for later review. Additionally, an abbreviated preview of the session is available for quick review. To view the log for a Live Shell session:
  1. On the
    Device Details
    page click
    Live Shell
  2. At the right end of the session of interest, click the three vertical dots and select either