interACT Commands

cat: To display the content of a file.

cd: To change the current working directory.

curl: To make HTTP requests.

del or delete or rm: For deleting a file or folder.

dir or ls: Will list the files and folders in a chosen directory.

exec or execute: Will allow you to execute a process on the endpoint with the native shell and return results with stdout/stderr.

find: Allows searching of a file or directory.

get: To pull a file from the endpoint down to the console

hash: Will display the hash value of a file.

head: To get the first 10 lines of a file displayed.

help: Will display any help messages and switches that you can apply to commands available to you at your current position.

hex: Will display the hex encoded output of the first 100 bytes of a file.

image: To read a disk or volume and write its contents out as a .dd file. This can also be done from the UI but remains here in interACT for those who prefer to image from the command line.

kill: Is the command to terminate a process.

mkdir: Will make or create a directory

osquery: Gives the user access to osquery queries within the interACT session

pslist: Will display the running process list.

put: Allows the user to push a file from the library to the endpoint.

pwd: Displays the present working directory.

volumes: Will list the mounted volumes.

yara: Scan files or processes with yara rules.

zip: This command will compress or decompress a file or folder.

Flags

From AIR v4.5 users can speed up workflows by using the following flags for files they want to download using the ‘get’ command in interACT:

• Compression: ‘-zip’

• Password protection: ‘-zip-password’

• File name change: ‘-name’