Files and Directories
  • 08 Feb 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Files and Directories

  • Dark
    Light

Article Summary

The following sensor commands perform actions against files and directories on EDR sensors.

dir_find_hash

Find files matching hashes starting at a root directory.

Platforms:

Return Event:
DIR_FINDHASH_REP

Usage:

usage: dir_find_hash [-h] [-d DEPTH] --hash HASHES rootDir fileExp

positional arguments:
  rootDir               the root directory where to begin the search from
  fileExp               a file name expression supporting basic wildcards like
                        * and ?

optional arguments:
  -d DEPTH, --depth DEPTH
                        optional maximum depth of the listing, defaults to a
                        single level
  --hash HASHES         sha256 to search for, can be specified multiple times

dir_list

List the contents of a directory.

Platforms:

Return Event:
DIR_LIST_REP

Usage:

usage: dir_list [-h] [-d DEPTH] rootDir fileExp

positional arguments:
  rootDir               the root directory where to begin the listing from
  fileExp               a file name expression supporting basic wildcards like
                        * and ?

optional arguments:
  -d DEPTH, --depth DEPTH
                        optional maximum depth of the listing, defaults to a
                        single level

file_del

Delete a file from the endpoint.

Platforms:

Return Event:
FILE_DEL_REP

**Usage: **

usage: file_del [-h] file

positional arguments:
  file        file path to delete

file_get

Retrieve a file from the endpoint.

Note: The file_get command is limited to 10MB in size. For files larger than 10MB, please utilize the artifact_get command.

Platforms:

Return Event:
FILE_GET_REP

Usage:

usage: file_get [-h] [-o OFFSET] [-s MAXSIZE] file

positional arguments:
  file                  file path to file to get

optional arguments:
  -o OFFSET, --offset OFFSET
                        offset bytes to begin reading the file at, in base 10
  -s MAXSIZE, --size MAXSIZE
                        maximum number of bytes to read, in base 10, max of
                        10MB

file_hash

Compute the hash of a file.

Platforms:

Return Event:
FILE_HASH_REP

Usage:

usage: file_hash [-h] file

positional arguments:
  file        file path to hash

file_info

Get file information, timestamps, sizes, etc.

Platforms:

Return Event:
FILE_INFO_REP

Usage:

usage: file_info [-h] file

positional arguments:
  file        file path to file to get info on

file_mov

Move / rename a file on the endpoint.

Platforms:

Return Event:
FILE_MOV_REP

Usage:

usage: file_mov [-h] srcFile dstFile

positional arguments:
  srcFile     source file path
  dstFile     destination file path

log_get

log_get is a legacy command that has been replaced with artifact_get. You can still issue a log_get command from the Sensor, however the parameters and output are the same as artifact_get.


Was this article helpful?

What's Next