Remote Control Terminal — Commands and Parameters

Applies To: WatchGuard Advanced EPDR

On the Terminal page of the Remote Control tool, you can run commands compatible with the cmd.exe interpreter on the remote Windows computers. You can launch programs that generate text output. The remote control terminal runs under the LOCAL_SYSTEM account on the remote computer and is installed here:

C:\Program Files (x86)\Panda Security\Panda Aether Agent\Remote access\

The Remote Control feature is available for Windows, Linux, and Mac computers. These instructions are written for Windows computers only.

To open the remote control terminal, on the Computers page:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Computers.
  3. From the left pane, select the My Organization tab.
  4. Next to the computer or group of computers you want to connect to remotely, click .
  5. Select Remote Control.
    The Remote Control window for the computer opens to the Terminal page.

Screen shot of Advanced EPDR, Remote Control Terminal page

About RT.exe

Advanced EPDR also supports rt.exe. This program provides access to a set of tools you can use to respond to security incidents. These tools enable you to recover information to perform a subsequent forensic analysis, and restore devices affected by a security breach to their original state.

You can access the rt.exe program from the remote command line. The program has the following syntax:

rt.exe [command] [-h|--help]

Each command indicates an action to take and each command supports different parameters. Some parameters allow partial searches that use substrings of characters that represent the start, middle, or end of a string. For example, to search for "malware", you can enter these substrings: "mal" or "ware".

You should also consider these rules:

  • Wildcards * and ? are not supported.
  • If a command supports dumping output to a file, this is specified with -f.
  • To separate multiple items of the same type, enter the pipe character (|).

Commands

When you start a remote control session, on the Terminal page, you can use these commands from the remote command line to collect information to enhance investigations, recover data for forensic, analysis, and remedy security breaches:

  • delete — Deletes files from the target computer hard disk.
  • dump — Dumps the memory assigned to processes to disk.
  • netinfo — Shows information about network interfaces.
  • pcap — Captures network packets and dumps them to the computer hard disk.
  • ports — Shows processes with open ports on the computer.
  • process — Shows the processes loaded in memory and their modules.
  • url — Shows a history of all URLs opened from the computer browser.

Delete Command

This command deletes the files specified with the parameters -n, -m, or -s which are in the path indicated by the parameter -p. If the file is in use, the delete command returns an error.

Short Form Full Parameter Description Notes

-h

--help

Opens command help.

 

-f

--force

Deletes files permanently.

 

-r

--restore

Restores selected files from the Recycle Bin.

Restores files to their original location.

-p

--path

Absolute path from the root directory where you want to search for files to delete. Endpoint Security only deletes files in the specified path.

Use the backslash character (\) to separate folders.

Ÿ Wildcards are not supported.

-n

--name

Names of the files you want to delete.

To specify multiple files, separate file names with the pipe character (|).

Wildcards are not supported.

-m

--md5

MD5 values of the files you want to delete.

To specify multiple MD5 values, separate values with the pipe character (|).

Wildcards are not supported.

-s --sha256 SHA256 values of the files you want to delete To indicate multiple SHA256 values, use the character “|”. Wildcards are not supported.

Dump Command

This command dumps to disk the memory space allocated to a system or user process.

Short Form Full Parameter Description Notes

-h

--help

Opens command help.

 

-p

--pid

PID of the process to dump.

For information on how to dump the PID of the process, go to Process Command.

-s

--system

Kernel dump.

Supported values:

  • Ÿ mini: Short dump of the stack content.
  • Ÿ kernel: Full dump.
  • Ÿ full: Dump of the entire physical memory of the computer, even if it is not in use.

-f

--filename

Name of the file that contains the dump.

 

-z --zip Stores the dump in a ZIP file.  

Netinfo Command

Used with the -a parameter, this command shows the settings of the network interfaces installed on the computer.

Short Form Full Parameter Description Notes

-h

--help

Opens command help.

 

-a

--all

Shows the settings of the network interfaces installed on the computer.

 

-f

--filename

Name of the file that contains the data.

 

-z

--zip

Stores the information in a ZIP file.

 

Pcap Command

This command captures the network traffic sent and received by the remote computer. Specify the start and end of the capture with the parameters - a start| stop. Packet capture generates temporary files on the computer so there must be sufficient hard disk space. The end result is a PCAP file that can be used directly by the Wireshark/Ethereal program.

Short Full Full Parameter Description Notes
-h --help Opens command help.  

-a

--action

Executes an action:

  • Ÿ start: Starts the capture process.
  • Ÿ stop: Stops the capture process.
  • Ÿ queryStatus: Shows the status of the capture process.

 

-m

--maxsize

Maximum size of the packet to capture, in megabytes (MB).

Ÿ Default value: 200 MB.

-i

--maxtime

Maximum capture time, in seconds.

Ÿ Default value: 86400 seconds (1 day).

-f

--filename

Name of the file that contains the data.

 

-z

--zip

Stores the information in a ZIP file.

 

Ports Command

Used with the - a parameter, this command shows the sockets open on the computer and the processes that opened them.

Short Form Full Parameter Description Notes
-h --help Opens command help.  
-a --all Shows all open ports and their associated processes.  

-p

--pid

Filters the results by process PID.

 

-n

--name

Filters the results by process name.

You can type only a partial string.

-f

--filename

Name of the file that contains the data.

 

Process Command

Used with the -a parameter, this command shows all processes loaded in the memory of the computer and their modules.

Short Form Full Parameter Description
-h --help Command help
-a -all Shows all processes loaded in the memory of the computer and their modules.
-p -pid Filters the results by process PID, showing the process modules.
-u -user Shows the processes launched by a user and their modules.
-f -filename Name of the file containing the data.

Url Command

Used with the -a any parameter, this command shows all the URLs accessed by users through the remote computer’s web browser. This command requires that the web access control feature is enabled.

Short Form Full Parameter Description Notes

-h

--help

Opens command help.

 

-a

--action

Filters the URL list by the action taken by the web access control feature

Actions:

  • Ÿ allow: Shows allowed URLs.
  • Ÿ deny: Shows denied URLs.
  • Ÿ any: Shows all visited URLs.

-c

--count

Maximum number of URLs to show.

Default value: unlimited.

-g

--category

Filters the URL list by the category assigned by the web access control feature.

 

-b

--begindate

Enables you to specify the start date to show visited URLs from.

Ÿ Date format: “YYYY-MM-DD HH:MM”.

Ÿ Default value: 30 days before the date you run the command.

-e

--enddate

Enables you to specify the end date to show visited URLs up to.

Ÿ Date format: “YYYY-MM-DD HH:MM”.

Ÿ Default value: Date you run the command.

-n

--urlpattern

Filters URLs by substring.

 

-u

--userpattern

Filters URLs by user.

 

-f

--filename

Name of the file that contains the data.

 

-z --zip Stores the information in a ZIP file.  

Related Topics

About the Remote Control Tool