MENU
      Contents x
      Payloads
      • 10 Jul 2023
      • 2 Minutes to read
      • Print
      • Dark
      Contents
        This documentation version is deprecated, please click here for the latest version.

      Payloads

      • Updated on 10 Jul 2023
      • 2 Minutes to read
      • Print
      • Dark
      Article summary

      Payloads

      run

      Execute a payload or a shell command on the sensor.

      Platforms:

      usage: run [-h] [--payload-name NAME] [--arguments ARGUMENTS]
           [--shell-command SHELLCMD] [--timeout TIMEOUT] [--is-ignore-cert][--interpreter INTERPRETER]

optional arguments:
  --payload-name NAME   name of the payload to run
  --arguments ARGUMENTS
                        arguments to run the payload with
  --shell-command SHELLCMD
                        shell command to run
  --timeout TIMEOUT     number of seconds to wait for payload termination
  --is-ignore-cert      if specified, the sensor will ignore SSL cert mismatch
                        while upload the log
  --interpreter INTERPRETER
specifies that the named payload should be executed with
a specific interpreter like "powershell"
      Plain text

      Note on usage scenarios for the --is-ignore-cert flag: If the sensor is deployed on a host where built-in root CAs are not up to date or present at all, it may be necessary to use the --is-ignore-cert flag to allow the sensor to pull the payload to execute from the cloud.

      Using Arguments

      In some cases, using the --arguments parameter may result in an error. If so, insert a leading space into the provided arguments.

      For example --arguments ' -ano'

      Unlike the main sensor transport (which uses a pinned certificate), the Payloads feature uses Google infrastructure and their public SSL certificates.

      This may sometimes come up in unexpected ways. For example fresh Windows Server installations do not have the root CAs for google.com enabled by default.

      put

      Upload a payload to an endpoint without executing it.

      Platforms:

      usage: put [-h] --payload-name NAME [--payload-path PATH] [--is-ignore-cert]

optional arguments:
  --payload-name NAME  name of the payload to run
  --payload-path PATH  full path where to put the payload (including file name)
  --is-ignore-cert     if specified, the sensor will ignore SSL cert mismatch
      Plain text

      Response Event(s):
      RECEIPT
      CLOUD_NOTIFICATION

      Error Codes

      A 200 ERROR code implies a successful put command, and will include the resulting file path. Any other error codes can be investigated here.

      Command Notes:

      Note on usage scenarios for the --is-ignore-cert flag: If the sensor is deployed on a host where built-in root CAs are not up to date or present at all, it may be necessary to use the --is-ignore-cert flag to allow the sensor to pull the payload to execute from the cloud.

      Unlike the main sensor transport (which uses a pinned certificate), the Payloads feature uses Google infrastructure and their public SSL certificates.

      This may sometimes come up in unexpected ways. For example fresh Windows Server installations do not have the root CAs for google.com enabled by default.

      Example:

      Assume you have a payload named sample-script.sh, and you wanted to upload it to the /tmp folder on a remote system, keeping the same name:

      put --payload-name "sample_script.sh" --payload-path "/tmp/sample_script.sh"
      Plain text

      If successful, this action will yield the following RECEIPT event:

      "details":{
    "event":{
        "ERROR":200
        "FILE_PATH":"/tmp/sample-script.sh"
    }
"routing" : {...}
      JSON
      Was this article helpful?
      What's Next