Files and Directories
  • 13 Feb 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Files and Directories

  • Dark
    Light

Article Summary

This page contains details for events generated by Files and Directories sensor commands.

DIR_FINDHASH_REP

Response event for the dir_find_hash sensor command.

Platforms:

Sample Event:

{
    "DIRECTORY_LIST": [
        {
            "HASH": "f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
            "ACCESS_TIME": 1535994794247,
            "FILE_SIZE": 113664,
            "CREATION_TIME": 1467173189067,
            "MODIFICATION_TIME": 1467173190171,
            "FILE_NAME": "MALWARE_DEMO_WINDOWS_1.exe",
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\MALWARE_DEMO_WINDOWS_1.exe"
        },
        {
            "HASH": "e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515",
            "ACCESS_TIME": 1535989041078,
            "FILE_SIZE": 1016320,
            "CREATION_TIME": 1522507344821,
            "MODIFICATION_TIME": 1522507355732,
            "FILE_NAME": "lc_win_64.exe",
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\lc_win_64.exe"
        }
    ],
    "HASH": [
        "f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
        "e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515"
    ],
    "FILE_PATH": "*.exe",
    "DIRECTORY_LIST_DEPTH": 0,
    "DIRECTORY_PATH": "c:\\users\\dev\\desktop\\"
}

DIR_LIST_REP

Response event for the dir_list sensor command. Includes Alternate Data Streams on Windows.

Platforms:

Sample Event:

{
    "DIRECTORY_LIST": [
        {
            "FILE_NAME": "vssdk_full.exe",
            "CREATION_TIME": 1553437930012,
            "MODIFICATION_TIME": 1553437937000,
            "STREAMS": [
                {
                    "FILE_NAME": "::$DATA",
                    "SIZE": 13782032
                }
            ],
            "ACCESS_TIME": 1567868284440,
            "FILE_SIZE": 13782032,
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\vssdk_full.exe"
        },
        {
            "FILE_NAME": "UniversalLog.txt",
            "CREATION_TIME": 1553028205525,
            "MODIFICATION_TIME": 1553028206289,
            "STREAMS": [
                {
                    "FILE_NAME": "::$DATA",
                    "SIZE": 125
                },
                {
                    "FILE_NAME": ":Zone.Identifier:$DATA",
                    "SIZE": 377
                }
            ],
            "ACCESS_TIME": 1567868284158,
            "FILE_SIZE": 125,
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\UniversalLog.txt"
        }
    ]
}

FILE_DEL_REP

Response event for the file_del sensor command.

Platforms:

Sample Event:

{
  "FILE_PATH": "C:\\test\\test.txt"
}

FILE_GET_REP

Response event for the file_get sensor command.

Platforms:

Sample Event:

{
  "FILE_CONTENT": "$BASE64_ENCODED_FILE_CONTENTS",
  "FILE_PATH": "C:\\windows\\system32\\svchost.exe",
  "FILE_SIZE": 78880
}

FILE_HASH_REP

Response event for the file_hash sensor command.

Platforms:

Sample Event:

{
  "FILE_IS_SIGNED": 1,
  "FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
  "HASH": "31780ff2aaf7bc71f755ba0e4fef1d61b060d1d2741eafb33cbab44d889595a0",
  "SIGNATURE": {
    "CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
    "CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher",
    "FILE_CERT_IS_VERIFIED_LOCAL": 1,
    "FILE_IS_SIGNED": 1,
    "FILE_PATH": "C:\\Windows\\System32\\svchost.exe"
  }
}

FILE_INFO_REP

Response event for the file_info sensor command.

Platforms:

Sample Event:

{
  "ACCESS_TIME": 1686685723546,
  "ATTRIBUTES": 0,
  "CREATION_TIME": 1686685723546,
  "FILE_IS_SIGNED": 1,
  "FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
  "FILE_SIZE": 78880,
  "MODIFICATION_TIME": 1686685723546
}

FILE_MOV_REP

Response event for the file_mov sensor command.

Platforms:

Sample Event:

{
  "DESTINATION": "C:\\test\\test.txt.bak",
  "SOURCE": "C:\\test\\test.txt"
}

LOG_GET_REP

Response from an log_get request.

LOG_LIST_REP

Response from an log_list request.


Was this article helpful?

What's Next