interACT Commands

interACT has been built in AIR specifically for DFIR capability. The full list of current commands can be listed by typing ‘help’ at the command prompt and are below the following important 'hint':

The interACT command-line parser will use Unix-like command-line parsing methods due to the libraries used and the missing Windows libraries. Because of that, a Windows user will have to write a del command like this:

del C:/xyz/abc.txt # use forward slashes
del 'C:\xyz\abc.txt' # within single quotes

The following is currently invalid and probably will be invalid in the future due to the Windows non-standard way of command-line parsing and escaping characters.

del C:\xyz\abc.txt # Invalid
del "C:\xyz\abc.txt" # Invalid

cat: To display the content of a file.

cd: To change the current working directory.

curl: To make HTTP requests.

del or delete or rm: For deleting a file or folder.

dir or ls: Will list the files and folders in a chosen directory.

exec or execute: This will allow you to execute a process on the asset with the native shell and return results with stdout/stderr.

find: Allows searching of a file or directory.

get: To pull a file from the asset down to the console

hash: Will display the hash value of a file.

head: To get the first 10 lines of a file displayed.

help: Will display any help messages and switches that you can apply to commands available to you at your current position.

hex: Will display the hex-encoded output of the first 100 bytes of a file.

image: To read a disk or volume and write its contents out as a .dd file. This can also be done from the UI but remains here in interACT for those who prefer to image from the command line.

kill: Is the command to terminate a process.

mkdir: Will make or create a directory

osquery: Gives the user access to osquery queries within the interACT session

pslist: Will display the running process list.

put: Allows the user to push a file from the library to the asset.

pwd: Displays the present working directory.

volumes: Will list the mounted volumes.

yara: Scan files or processes with YARA rules.

zip: This command will compress or decompress a file or folder.

Flags

From AIR v4.5 users can speed up workflows by using the following flags for files they want to download using the ‘get’ command in interACT:

Compression: ‘-zip’
Password protection: ‘-zip-password’
File name change: ‘-name’

BEWARE !

Using zip -p on machines monitored by EDR can trigger alerts due to its association with suspicious activities like encryption or data exfiltration.

EDRs often flag or block such commands, log passwords exposed in plaintext, and create compliance challenges.

Binalyze AIR’s InterACT offers a secure alternative for file handling and remote actions without relying on these risky commands. To ensure smooth operations, AIR users should work with their security teams to get AIR executables whitelisted in their EDR. This prevents unnecessary alerts and guarantees uninterrupted, secure workflows during investigations.

PreviousinterACT NextPowerShell commands in interACT

Last updated 2 months ago

Was this helpful?