Reference: Endpoint Agent Commands¶
Supported Commands by OS¶
For commands which emit a report/reply event type from the agent, the corresponding event type is provided.
Command Descriptions¶
artifact_get¶
Retrieve artifacts (pcaps, memory dumps, system files) from a sensor that were previously collected.
Platforms: macOS | Windows | Linux
Parameters:
- payload_id (required): The unique identifier of the artifact to retrieve
Response Event: FILE_GET_REP
Usage Example:
dir_list¶
List files and directories at a specified path on the endpoint.
Platforms: macOS | Windows | Linux
Parameters:
- dir_path (required): Directory path to list
- depth (optional): Recursion depth (default: 0 = no recursion)
- file_pattern (optional): File pattern filter (e.g., "*.exe")
Response Event: DIR_LIST_REP
Usage Example:
Sample Response:
{
"event": {
"DIRECTORY_LIST": [
{
"FILE_PATH": "C:\\Windows\\System32\\cmd.exe",
"FILE_SIZE": 289792,
"LAST_MODIFIED": 1579000000
}
]
}
}
dir_findhash¶
Search for files matching a specific hash across a directory tree.
Platforms: macOS | Windows | Linux
Parameters:
- dir_path (required): Root directory to search
- hash (required): Hash value to search for (MD5, SHA1, or SHA256)
- depth (optional): Maximum recursion depth
Response Event: DIR_FINDHASH_REP
Usage Example:
dns_resolve¶
Perform DNS resolution on the endpoint to determine what DNS server responds.
Platforms: macOS | Windows | Linux | Chrome | Edge
Parameters:
- hostname (required): Hostname to resolve
Response Event: DNS_REQUEST
Usage Example:
doc_cache_get¶
Retrieve a previously cached document from the sensor's local cache.
Platforms: macOS | Windows
Parameters:
- hash (required): Hash of the cached document
Response Event: GET_DOCUMENT_REP
Usage Example:
exfil_add¶
Add an exfiltration detection watch for specific event types and patterns.
Platforms: macOS | Windows | Linux
Parameters:
- event (required): Event type to monitor (e.g., "DNS_REQUEST", "NEW_PROCESS")
- operator (required): Comparison operator ("is", "contains", "matches", etc.)
- path (required): JSON path to the field to watch (e.g., "event/DOMAIN_NAME")
- value (required): Value or pattern to match
- expire (optional): TTL in seconds for the watch (default: permanent)
Response Event: EXFIL_ADD_REP
Usage Example:
limacharlie sensor task <SID> exfil_add --event "DNS_REQUEST" --operator "contains" --path "event/DOMAIN_NAME" --value "malware" --expire 3600
exfil_del¶
Remove an exfiltration detection watch by its ID.
Platforms: macOS | Windows | Linux
Parameters:
- id (required): Watch ID to remove (from exfil_get response)
Response Event: EXFIL_DEL_REP
Usage Example:
exfil_get¶
List all active exfiltration detection watches on the sensor.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: EXFIL_GET_REP
Usage Example:
file_del¶
Delete a file from the endpoint filesystem.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path to the file to delete
Response Event: FILE_DEL_REP
Usage Example:
file_get¶
Retrieve a file from the endpoint and upload it to LimaCharlie cloud storage.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path to the file to retrieve
Response Event: FILE_GET_REP
Usage Example:
file_hash¶
Calculate cryptographic hashes (MD5, SHA1, SHA256) for a file.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path to the file to hash
Response Event: FILE_HASH_REP
Usage Example:
Sample Response:
{
"event": {
"FILE_PATH": "/etc/passwd",
"HASH": "abc123...",
"MD5": "def456...",
"SHA1": "ghi789...",
"SHA256": "jkl012..."
}
}
file_info¶
Get detailed metadata about a file without retrieving its contents.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path to the file
Response Event: FILE_INFO_REP
Usage Example:
Sample Response:
{
"event": {
"FILE_PATH": "C:\\Program Files\\app.exe",
"FILE_SIZE": 1048576,
"CREATED": 1579000000,
"MODIFIED": 1580000000,
"ACCESSED": 1581000000
}
}
file_mov¶
Move or rename a file on the endpoint filesystem.
Platforms: macOS | Windows | Linux
Parameters:
- src_path (required): Source file path
- dst_path (required): Destination file path
Response Event: FILE_MOV_REP
Usage Example:
fim_add¶
Add a File Integrity Monitoring (FIM) watch for a specific path or pattern.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path or pattern to monitor (supports wildcards)
Response Event: FIM_ADD_REP
Usage Example:
fim_del¶
Remove a File Integrity Monitoring watch.
Platforms: macOS | Windows | Linux
Parameters:
- file_path (required): Path pattern to stop monitoring
Response Event: FIM_REMOVE (note: event name is FIM_REMOVE, not FIM_DEL_REP)
Usage Example:
fim_get¶
List all active File Integrity Monitoring watches on the sensor.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: FIM_LIST_REP
Usage Example:
get_debug_data¶
Retrieve internal sensor debug data for troubleshooting.
Platforms: Windows
Parameters: None
Response Event: DEBUG_DATA_REP
Usage Example:
hidden_module_scan¶
Scan for hidden or stealthy modules loaded in process memory that may not appear in normal module lists.
Platforms: Windows
Parameters:
- pid (optional): Specific process ID to scan (default: all processes)
Response Event: HIDDEN_MODULE_DETECTED
Usage Example:
history_dump¶
Export a dump of recent events from the sensor's local event cache.
Platforms: macOS | Windows | Linux | Chrome | Edge
Parameters: None
Response Event: HISTORY_DUMP_REP
Usage Example:
log_get¶
Retrieve Windows Event Logs or macOS Unified Logs from the endpoint.
Platforms: Windows (Event Logs) | macOS (Unified Logs)
Parameters:
- source (Windows required): Event log source name (e.g., "Security", "System")
- predicate (macOS optional): Unified log filter predicate
Response Event: LOG_GET_REP
Usage Example:
# Windows
limacharlie sensor task <SID> log_get --source "Security"
# macOS
limacharlie sensor task <SID> log_get --predicate "eventType == logEvent"
mem_find_string¶
Search process memory for specific string patterns.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to scan
- strings (required): String or list of strings to search for
Response Event: MEM_FIND_STRING_REP
Usage Example:
mem_find_handle¶
Find handles (file, registry, process) held by a process on Windows.
Platforms: Windows
Parameters:
- pid (optional): Specific process ID (default: all processes)
- needle (optional): Handle name pattern to search for
Response Event: MEM_FIND_HANDLE_REP
Usage Example:
mem_map¶
Get memory map of a process showing loaded modules and memory regions.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to map
Response Event: MEM_MAP_REP
Usage Example:
mem_read¶
Read raw memory from a process at a specific address.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID
- base_address (required): Memory address to read from (hex format)
- size (required): Number of bytes to read
Response Event: MEM_READ_REP
Usage Example:
mem_strings¶
Extract all readable strings from a process's memory.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to scan
Response Event: MEM_STRINGS_REP
Usage Example:
netstat¶
Get current network connections on the endpoint (similar to netstat command).
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: NETWORK_CONNECTIONS
Usage Example:
Sample Response:
{
"event": {
"NETWORK_ACTIVITY": [
{
"STATE": "ESTABLISHED",
"LOCAL_ADDRESS": "192.168.1.100",
"LOCAL_PORT": 50234,
"REMOTE_ADDRESS": "93.184.216.34",
"REMOTE_PORT": 443,
"PID": 1234,
"PROCESS": "chrome.exe"
}
]
}
}
network_summary¶
Get aggregated network statistics and active connections summary.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: NETWORK_SUMMARY
Usage Example:
os_kill_process¶
Terminate a running process.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to terminate
Response Event: OS_KILL_PROCESS_REP
Usage Example:
os_packages¶
List installed software packages on the endpoint.
Platforms: Windows (via registry) | macOS (future) | Linux (future)
Response Event: OS_PACKAGES_REP
Usage Example:
Sample Response:
{
"event": {
"PACKAGES": [
{
"NAME": "Google Chrome",
"VERSION": "120.0.6099.130",
"PUBLISHER": "Google LLC"
}
]
}
}
os_processes¶
Get a list of all running processes with detailed information.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: EXISTING_PROCESS (multiple events, one per process)
Usage Example:
Sample Response:
{
"event": {
"PROCESS_ID": 1234,
"PARENT_PROCESS_ID": 5678,
"COMMAND_LINE": "C:\\Windows\\System32\\notepad.exe",
"FILE_PATH": "C:\\Windows\\System32\\notepad.exe",
"USER_NAME": "DOMAIN\\user"
}
}
os_resume¶
Resume a suspended process.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to resume
Response Event: OS_RESUME_REP
Usage Example:
os_services¶
List all services/daemons running on the endpoint.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: OS_SERVICES_REP
Usage Example:
os_suspend¶
Suspend (pause) a running process.
Platforms: macOS | Windows | Linux
Parameters:
- pid (required): Process ID to suspend
Response Event: OS_SUSPEND_REP
Usage Example:
os_autoruns¶
List programs configured to run automatically at system startup.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: OS_AUTORUNS_REP
Usage Example:
os_drivers¶
List all loaded kernel drivers/modules.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: OS_DRIVERS_REP
Usage Example:
os_version¶
Get detailed operating system version information.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: OS_VERSION_REP
Usage Example:
Sample Response:
rejoin_network¶
Re-enable network connectivity for a sensor that was previously isolated.
Platforms: macOS | Windows | Linux | Chrome | Edge
Parameters: None
Response Event: None (sensor reconnects)
Usage Example:
run¶
Execute a command or script on the endpoint (out-of-band execution).
Platforms: macOS | Linux
Parameters:
- command (required): Command line to execute
Response Event: EXEC_OOB
Usage Example:
segregate_network¶
Isolate a sensor from the network (except LimaCharlie cloud connectivity).
Platforms: macOS | Windows | Linux | Chrome | Edge
Parameters: None
Response Event: None (sensor becomes isolated)
Usage Example:
yara_scan¶
Scan files or process memory with YARA rules.
Platforms: macOS | Windows | Linux
Parameters:
- rule (required): YARA rule content
- file_path (optional): Specific file to scan
- pid (optional): Specific process to scan
- process_expr (optional): Process name pattern to scan
Response Event: YARA_DETECTION
Usage Example:
# Scan a file
limacharlie sensor task <SID> yara_scan --file_path "C:\\suspicious.exe" --rule "rule test { strings: $a = \"malware\" condition: $a }"
# Scan process memory
limacharlie sensor task <SID> yara_scan --pid 1234 --rule "rule test { strings: $a = \"malware\" condition: $a }"
pcap_ifaces¶
List available network interfaces for packet capture.
Platforms: macOS | Windows | Linux
Parameters: None
Response Event: PCAP_INTERFACES_REP
Usage Example:
pcap_start¶
Start capturing network packets on a specified interface.
Platforms: macOS | Windows | Linux
Parameters:
- iface (required): Network interface ID or name
- max_size (optional): Maximum capture size in MB
Response Event: PCAP_START_REP
Usage Example:
pcap_stop¶
Stop an active packet capture and upload the PCAP file.
Platforms: macOS | Windows | Linux
Parameters:
- iface (optional): Specific interface to stop (default: all)
Response Event: PCAP_STOP_REP, followed by EXPORT_COMPLETE
Usage Example:
reg_list¶
List Windows registry keys and values.
Platforms: Windows
Parameters:
- reg_path (required): Registry path to list (e.g., "HKEY_LOCAL_MACHINE\SOFTWARE")
Response Event: REG_LIST_REP
Usage Example:
limacharlie sensor task <SID> reg_list --reg_path "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
epp_scan¶
Trigger an Endpoint Protection (EPP) scan on a file or directory.
Platforms: Windows
Parameters:
- file_path (required): Path to scan
Response Event: EPP_SCAN_REP
Usage Example:
epp_list_exclusions¶
List EPP scan exclusions currently configured on the sensor.
Platforms: Windows
Parameters: None
Response Event: EPP_LIST_EXCLUSIONS_REP
Usage Example:
epp_add_exclusion¶
Add a path or process to EPP scan exclusions.
Platforms: Windows
Parameters:
- file_path (optional): File/directory path to exclude
- process (optional): Process name to exclude
Response Event: EPP_ADD_EXCLUSION_REP
Usage Example:
epp_rem_exclusion¶
Remove a path or process from EPP scan exclusions.
Platforms: Windows
Parameters:
- file_path (optional): File/directory path to remove from exclusions
- process (optional): Process name to remove from exclusions
Response Event: EPP_REM_EXCLUSION_REP
Usage Example:
epp_list_quarantine¶
List files currently in EPP quarantine.
Platforms: Windows
Parameters: None
Response Event: EPP_LIST_QUARANTINE_REP
Usage Example:
Command Usage Notes¶
General Syntax:
Platform Abbreviations: - macOS: Apple macOS and OS X - Windows: Microsoft Windows (7, 8, 10, 11, Server editions) - Linux: Linux distributions (Ubuntu, CentOS, Debian, etc.) - Chrome: Chrome browser extension sensor - Edge: Microsoft Edge browser extension sensor
Response Events:
Most commands generate a response event (typically ending in _REP) that can be:
- Viewed in the LimaCharlie web interface under Sensor > Timeline
- Retrieved via API
- Triggered on with D&R rules
Error Handling:
Response events typically include an ERROR field:
- ERROR: 0 indicates success
- Non-zero ERROR values indicate specific error conditions
Permissions: Some commands require elevated privileges (root/administrator) on the endpoint to execute successfully.
Timeouts: Commands have default timeouts (typically 30-60 seconds). Long-running operations may timeout and can be made persistent using the Reliable Tasking extension.