Live Terminal

Feature Requirements

  • DarkBytes Respond Subscription
  • DarkBytes Host Sensor 1.2.7 or later
  • Windows, macOS, or Linux
  • User Group - Administrator or Terminal

What is a Live Terminal

A Live Terminal is a remote, privileged command-line shell that provides DarkBytes Respond users with a way to perform incident response and IT operations tasks securely. Every session is tightly controlled and audited which enables Privileged Access Management ("PAM") use-cases such as incident response, forensics, and system administration.

Live Terminal sessions are a real-time, streamed command shell using the Websocket protocol ("wss://").

PlatformShellPrivilege
Windows\Windows\System32\cmd.exeSYSTEM
macOS/bin/bashroot
Linux/bin/bashroot


Live Terminal Security

The Live Terminal feature is disabled by default and must be enabled by a DarkBytes administrator. It is not possible for any Live Terminal sessions to be created while the feature is disabled.

In addition, only Administrator users will have permission to access the Live Terminal feature by default. Non-administrator users must be assigned to the "Terminal" group to use the feature.

Enable Multi-factor Authentication

It is highly recommended that all Administrator users and users with the Terminal group should enable multi-factor authentication ("MFA") on their account.

Live Terminal Policy

Enabling Live Terminal

Enabling the Live Terminal feature must be done by a DarkBytes administrator by changing the Policy.

After logging into the DarkBytes Portal, open "Admin" and then click "Policy" from the main navigation.

Switch the toggle for "Live Terminal Enabled" from "False" to "True".

This will enable the feature and show extended policy options which are covered in the subsequent sections below.

Creation Alerts

After enabling Live Terminal, a policy option can be enabled to send email alerts every time a new Live Terminal session is created.

Switch the toggle from "False" to "True" to enable Live Terminal Creation alerts.

Next, enter an email address that the alerts should be sent to. This email address can be a specific person or a distribution group.

Restrict Hosts

Organizations may want to restrict access to Live Terminal for specific hosts. The Restrict Hosts feature provides a white-list of hosts for which Live Terminal sessions can be created.

IMPORTANT - This feature is completely optional. By default, Live Terminal sessions can be created on any host assuming that Live Terminal is enabled.

Click "Save" to apply the Policy changes.

Granting Permission to Users

By default, only Administrator users in the DarkBytes Portal will have access to the Live Terminal feature. Normal, non-Administrator users will have to be added to the "Terminal" group manually.

Open "Admin" and then "Users" to manage the DarkBytes user groups. Find the user that should be granted permission and click "Change Groups".

Click "Terminal" and then "Apply" to save the group. The user must log out and log in to receive the new group or wait 1 hour for it to automatically refresh.

Audit Logging

Audit Logs are created when new Live Terminal sessions are created and when commands are executed. Each log includes the username (email address) of the DarkBytes user the Host Identifier of the host.

These logs are generated and stored in a secure database. There is no ability for users to add, remove, or modify Audit Logs.

Using Live Terminal

Log into the DarkBytes Portal and click "Respond" and then "Live Terminal" from the main navigation. This requires an Administrator user or permission for the "Terminal" group.

Click "Create Terminal" for a specific host. A prompt will appear warning the user that activity will be logged and the administrator will be notified.

Click "Confirm" to open a session which will appear in a tab. The host may take up to 15 seconds to receive the notification and open the terminal session.

NOTE - Each user may have up to 10 tabs and each host can have up to 2 simultaneous sessions.

Commands can be executed and the terminal will send the resulting output back in real-time.

The current timeout for an individual command is 10 seconds. Interactive text editors such as "vim" and "nano" are not currently supported.

Live Terminal Sessions

Each time a Live Terminal is created a corresponding "session" is created. This concept is important because it improves collaboration and audit capabilities.

Multiple, Simultaneous Users

All sessions can be seen by all users that are authorized for the Live Terminal feature.

For example, if user 1 creates a Live Terminal session, user 2 can also see and connect to that same session. In addition, multiple users can connect to the same session at the same time. Commands and output from the endpoint is sent to all connected users. Each executed command is logged with the originating user (email address).

This enables teams to collaborate in real-time by sharing the same session.

Audit Logging

All audit logs contain the session identifier. This allows security and privacy teams to track Live Terminal access to ensure it's not being misused.