MENU
    Files and Directories
    • 08 Feb 2024
    • 1 Minute to read
    • Dark
      This documentation version is deprecated, please click here for the latest version.

    Files and Directories

    • Dark

    Article summary

    The following sensor commands perform actions against files and directories on EDR sensors.

    dir_find_hash

    Find files matching hashes starting at a root directory.

    Platforms:

    Return Event:
    DIR_FINDHASH_REP

    Usage:

    usage: dir_find_hash [-h] [-d DEPTH] --hash HASHES rootDir fileExp
    
    positional arguments:
      rootDir               the root directory where to begin the search from
      fileExp               a file name expression supporting basic wildcards like
                            * and ?
    
    optional arguments:
      -d DEPTH, --depth DEPTH
                            optional maximum depth of the listing, defaults to a
                            single level
      --hash HASHES         sha256 to search for, can be specified multiple times
    Plain text

    dir_list

    List the contents of a directory.

    Platforms:

    Return Event:
    DIR_LIST_REP

    Usage:

    usage: dir_list [-h] [-d DEPTH] rootDir fileExp
    
    positional arguments:
      rootDir               the root directory where to begin the listing from
      fileExp               a file name expression supporting basic wildcards like
                            * and ?
    
    optional arguments:
      -d DEPTH, --depth DEPTH
                            optional maximum depth of the listing, defaults to a
                            single level
    Plain text

    file_del

    Delete a file from the endpoint.

    Platforms:

    Return Event:
    FILE_DEL_REP

    **Usage: **

    usage: file_del [-h] file
    
    positional arguments:
      file        file path to delete
    Plain text

    file_get

    Retrieve a file from the endpoint.

    Note: The file_get command is limited to 10MB in size. For files larger than 10MB, please utilize the artifact_get command.

    Platforms:

    Return Event:
    FILE_GET_REP

    Usage:

    usage: file_get [-h] [-o OFFSET] [-s MAXSIZE] file
    
    positional arguments:
      file                  file path to file to get
    
    optional arguments:
      -o OFFSET, --offset OFFSET
                            offset bytes to begin reading the file at, in base 10
      -s MAXSIZE, --size MAXSIZE
                            maximum number of bytes to read, in base 10, max of
                            10MB
    Plain text

    file_hash

    Compute the hash of a file.

    Platforms:

    Return Event:
    FILE_HASH_REP

    Usage:

    usage: file_hash [-h] file
    
    positional arguments:
      file        file path to hash
    Plain text

    file_info

    Get file information, timestamps, sizes, etc.

    Platforms:

    Return Event:
    FILE_INFO_REP

    Usage:

    usage: file_info [-h] file
    
    positional arguments:
      file        file path to file to get info on
    Plain text

    file_mov

    Move / rename a file on the endpoint.

    Platforms:

    Return Event:
    FILE_MOV_REP

    Usage:

    usage: file_mov [-h] srcFile dstFile
    
    positional arguments:
      srcFile     source file path
      dstFile     destination file path
    Plain text

    log_get

    log_get is a legacy command that has been replaced with artifact_get. You can still issue a log_get command from the Sensor, however the parameters and output are the same as artifact_get.


    Was this article helpful?

    What's Next