interACT Commands

interACT has been built specifically for DFIR capability in $ Product. The full list of current commands can be listed by typing ‘help’ at the command prompt, and is below the following important ‘hint’:

Note

The interACT command-line parser utilizes Unix-like command-line parsing methods due to the libraries used and the absence of Windows-specific libraries. Because of that, a Windows user will have to write a del command like this:

• del C:/xyz/abc.txt # use forward slashes
• del ‘C:\xyz\abc.txt’ # within single quotes

The following is currently invalid and likely to remain so in the future due to Windows’ non-standard approach to command-line parsing and character escaping.

• del C:\xyz\abc.txt # Invalid
• del “C:\xyz\abc.txt” # Invalid

cat: To display the content of a file.

cd: To change the current working directory.

curl: To make HTTP requests.

del, delete, or rm: For deleting a file or folder.

dir or ls: Will list the files and folders in a chosen directory.

exec or execute: The exec or execute action allows you to execute a process on the asset without a shell and capture its output via stdout and stderr.

find: Will search for a file or directory.

get: To pull a file from the asset down to the console

hash: Will display the hash value of a file.

head: To get the first 10 lines of a file displayed.

help: Will display any help messages and switches that you can apply to commands available to you at your current position.

hex: Will display the hex-encoded output of the first 100 bytes of a file.

image: To read a disk or volume and write its contents out as a .dd file. This can also be done from the UI, but remains here in interACT for those who prefer to image from the command line.

kill: Is the command to terminate a process.

mkdir: Will make or create a directory

osquery: Gives the user access to osquery queries within the interACT session

pslist: Will display the running process list.

put: Allows the user to push a file from the library to the asset.

Tip

File Upload Size Limit

When using the put command to upload files to an asset via interACT, please note that the maximum file size supported is 500 MB per file.

pwd: Displays the present working directory.

volumes: Will list the mounted volumes.

yara: Scan files or processes with YARA rules.

zip: This command compresses or decompresses a file or folder.

Flags

From XDR Forensics v4.5, users can speed up workflows by using the following flags for files they want to download using the ‘get’ command in interACT:

• Compression: ‘-zip’
• Password protection: ‘-zip-password’
• File name change: ‘-name’

Danger

BEWARE!

Using zip -p on machines monitored by EDR can trigger alerts due to its association with suspicious activities like encryption or data exfiltration.

EDRs often flag or block such commands, log passwords exposed in plaintext, and create compliance challenges.

XDR Forensics’s InterACT offers a secure alternative for file handling and remote actions, eliminating the need for these risky commands. To ensure smooth operations, XDR Forensics users should work with their security teams to get XDR Forensics executables whitelisted in their EDR. This prevents unnecessary alerts and guarantees uninterrupted, secure workflows during investigations.