Contents x
    Files and Directories
    • 08 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Files and Directories

    • Updated on 08 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    The following sensor commands perform actions against files and directories on EDR sensors.

    dir_find_hash

    Find files matching hashes starting at a root directory.

    Platforms:

    Return Event:
    DIR_FINDHASH_REP

    Usage:

    usage: dir_find_hash [-h] [-d DEPTH] --hash HASHES rootDir fileExp

positional arguments:
  rootDir               the root directory where to begin the search from
  fileExp               a file name expression supporting basic wildcards like
                        * and ?

optional arguments:
  -d DEPTH, --depth DEPTH
                        optional maximum depth of the listing, defaults to a
                        single level
  --hash HASHES         sha256 to search for, can be specified multiple times

    dir_list

    List the contents of a directory.

    Platforms:

    Return Event:
    DIR_LIST_REP

    Usage:

    usage: dir_list [-h] [-d DEPTH] rootDir fileExp

positional arguments:
  rootDir               the root directory where to begin the listing from
  fileExp               a file name expression supporting basic wildcards like
                        * and ?

optional arguments:
  -d DEPTH, --depth DEPTH
                        optional maximum depth of the listing, defaults to a
                        single level

    file_del

    Delete a file from the endpoint.

    Platforms:

    Return Event:
    FILE_DEL_REP

    **Usage: **

    usage: file_del [-h] file

positional arguments:
  file        file path to delete

    file_get

    Retrieve a file from the endpoint.

    Note: The file_get command is limited to 10MB in size. For files larger than 10MB, please utilize the artifact_get command.

    Platforms:

    Return Event:
    FILE_GET_REP

    Usage:

    usage: file_get [-h] [-o OFFSET] [-s MAXSIZE] file

positional arguments:
  file                  file path to file to get

optional arguments:
  -o OFFSET, --offset OFFSET
                        offset bytes to begin reading the file at, in base 10
  -s MAXSIZE, --size MAXSIZE
                        maximum number of bytes to read, in base 10, max of
                        10MB

    file_hash

    Compute the hash of a file.

    Platforms:

    Return Event:
    FILE_HASH_REP

    Usage:

    usage: file_hash [-h] file

positional arguments:
  file        file path to hash

    file_info

    Get file information, timestamps, sizes, etc.

    Platforms:

    Return Event:
    FILE_INFO_REP

    Usage:

    usage: file_info [-h] file

positional arguments:
  file        file path to file to get info on

    file_mov

    Move / rename a file on the endpoint.

    Platforms:

    Return Event:
    FILE_MOV_REP

    Usage:

    usage: file_mov [-h] srcFile dstFile

positional arguments:
  srcFile     source file path
  dstFile     destination file path

    log_get

    log_get is a legacy command that has been replaced with artifact_get. You can still issue a log_get command from the Sensor, however the parameters and output are the same as artifact_get.

    Was this article helpful?
    What's Next