LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Purpose-Built for DFIR
  • User Privileges Tailored to Your Needs
  • Cross-Platform Commands for Seamless Operations
  • Deploy Your Favorite Scripts with Ease
  • Case Collaboration Made Simple
  • Full auditing and logging for Enhanced Visibility
  • Peace of Mind with Individual Privileges

Was this helpful?

Export as PDF
  1. AIR
  2. Features

interACT

Purpose-Built, Cross Platform Remote Shell for DFIR

PreviousSchedule Triage TasksNextinterACT Commands

Last updated 5 months ago

Was this helpful?

In the dynamic landscape of Digital Forensics and Incident Response (DFIR), having the right tools can make all the difference. Enter interACT Remote Shell, a purpose-built solution that differentiates itself from the crowd. This page takes you on a journey through the unique features that make interACT an invaluable asset for DFIR professionals.

Purpose-Built for DFIR

At its core, interACT is meticulously crafted for the intricate demands of Digital Forensics and Incident Response. It's not just another shell implementation; it's a specialized tool designed to meet the specific challenges faced by investigators and responders in the field.

Binalyze AIR’s interACT module is a comprehensive secure remote shell that is cross-platform and provides a standardized command set for Windows, macOS, and Linux to empower and greatly simplify the investigation process. Investigators and incident responders can connect to their assets easily by starting an interACT session via the AIR console.

When an interACT session is initiated, the AIR console connects to the asset in just a few seconds and provides a command line interface for investigators to begin their triage, mitigation, or other remediation actions.

User Privileges Tailored to Your Needs

Another very useful and unique feature of interACT is its ability to control access to features based on user permissions level. This allows DFIR team leaders and managers to create appropriate access profiles to match the experience and ability of each team member.

Currently, interACT has 3 levels of permissions:

Enumeration Privileges

Read Content Privileges Write

Execute Privileges

These access levels can be further enhanced by controlling individual users' access to organizations on the AIR platform resulting in a highly granular solution for access control.

Cross-Platform Commands for Seamless Operations

DFIR environments are diverse, with Windows, Linux, and MacOS systems. InterACT simplifies operations by supporting cross-platform commands, ensuring a consistent and efficient experience across different operating systems.

interACT’s Library feature allows DFIR managers and team leaders to upload standardized investigation assets like scripts and toolkits, making it easy for individual analysts to utilize them with a single click during their investigation.

Deploy Your Favorite Scripts with Ease

Repetitive tasks are an inevitable part of DFIR. With interACT's library, you can deploy your favorite scripts effortlessly. This not only saves time but also ensures consistency in your investigative processes.

Case Collaboration Made Simple

Collaboration is at the heart of effective incident response. With InterACT, you can attach sessions to specific cases, promoting seamless collaboration among team members. This feature streamlines communication and ensures everyone is on the same page during investigations.

Also, by providing access to the Library of approved assets, a more uniform investigative process across the whole team can be defined and encouraged.

Full auditing and logging for Enhanced Visibility

Another valuable feature of interACT is the full auditing and logging capability. This not only enhances visibility but also facilitates compliance with rigorous security standards. Every command used and response received is logged in a real-time interACT session report. Additionally, if any files are transferred between the analyst and the asset, these are logged, including their hash values.

InterACT has three levels of audit:

Firstly, the interACT session log is generated as a Case Report and saved as a Task immediately after the session is closed.

Next is the Global Audit Log which can not be purged

Thirdly, the user can export the interACT audit logs to their Syslog server for analysis.

InterACT is a powerful tool, so this comprehensive auditing capability provides peace of mind that, should you need to demonstrate exactly what happened during a remote shell session, you can do just that.

The interACT command-line parser will use Unix-like command line parsing methods due to the libraries used and the missing Windows libraries. Because of that, a Windows user will have to write a del command like this:

  • del C:/xyz/abc.txt # use forward slashes

  • del 'C:\xyz\abc.txt' # within single quotes

The following is currently invalid and probably will be invalid in the future due to the Windows non-standard way of command-line parsing and escaping characters.

  • del C:\xyz\abc.txt # Invalid

  • del "C:\xyz\abc.txt" # Invalid

Peace of Mind with Individual Privileges

InterACT provides peace of mind by offering individual privileges for command sets. This fine-grained control allows you to balance the need for access with the imperative of maintaining a secure environment.

In conclusion, interACT Remote Shell is not just a tool; it's a game-changer for DFIR professionals. Its purpose-built design, user privilege customization, cross-platform compatibility, Syslog integration, script deployment capabilities, collaborative features, and emphasis on individual privileges make it a versatile and indispensable asset in the arsenal of any cybersecurity expert.

interACT Commands