Contents x
    Payloads
    • 10 Jul 2023
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Payloads

    • Updated on 10 Jul 2023
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Payloads

    run

    Execute a payload or a shell command on the sensor.

    Platforms:

    usage: run [-h] [--payload-name NAME] [--arguments ARGUMENTS]
           [--shell-command SHELLCMD] [--timeout TIMEOUT] [--is-ignore-cert][--interpreter INTERPRETER]

optional arguments:
  --payload-name NAME   name of the payload to run
  --arguments ARGUMENTS
                        arguments to run the payload with
  --shell-command SHELLCMD
                        shell command to run
  --timeout TIMEOUT     number of seconds to wait for payload termination
  --is-ignore-cert      if specified, the sensor will ignore SSL cert mismatch
                        while upload the log
  --interpreter INTERPRETER
specifies that the named payload should be executed with
a specific interpreter like "powershell"

    Note on usage scenarios for the --is-ignore-cert flag: If the sensor is deployed on a host where built-in root CAs are not up to date or present at all, it may be necessary to use the --is-ignore-cert flag to allow the sensor to pull the payload to execute from the cloud.

    Using Arguments

    In some cases, using the --arguments parameter may result in an error. If so, insert a leading space into the provided arguments.

    For example --arguments ' -ano'

    Unlike the main sensor transport (which uses a pinned certificate), the Payloads feature uses Google infrastructure and their public SSL certificates.

    This may sometimes come up in unexpected ways. For example fresh Windows Server installations do not have the root CAs for google.com enabled by default.

    put

    Upload a payload to an endpoint without executing it.

    Platforms:

    usage: put [-h] --payload-name NAME [--payload-path PATH] [--is-ignore-cert]

optional arguments:
  --payload-name NAME  name of the payload to run
  --payload-path PATH  full path where to put the payload (including file name)
  --is-ignore-cert     if specified, the sensor will ignore SSL cert mismatch

    Response Event(s):
    RECEIPT
    CLOUD_NOTIFICATION

    Error Codes

    A 200 ERROR code implies a successful put command, and will include the resulting file path. Any other error codes can be investigated here.

    Command Notes:

    Note on usage scenarios for the --is-ignore-cert flag: If the sensor is deployed on a host where built-in root CAs are not up to date or present at all, it may be necessary to use the --is-ignore-cert flag to allow the sensor to pull the payload to execute from the cloud.

    Unlike the main sensor transport (which uses a pinned certificate), the Payloads feature uses Google infrastructure and their public SSL certificates.

    This may sometimes come up in unexpected ways. For example fresh Windows Server installations do not have the root CAs for google.com enabled by default.

    Example:

    Assume you have a payload named sample-script.sh, and you wanted to upload it to the /tmp folder on a remote system, keeping the same name:

    put --payload-name "sample_script.sh" --payload-path "/tmp/sample_script.sh"

    If successful, this action will yield the following RECEIPT event:

    "details":{
    "event":{
        "ERROR":200
        "FILE_PATH":"/tmp/sample-script.sh"
    }
"routing" : {...}
    Was this article helpful?
    What's Next