Command Line Tools
Cytomic Orion supports rt.exe. This program provides access to a set of tools you can use to respond to security incidents. These tools enable you to recover information to perform a subsequent forensic analysis, and restore devices affected by a security breach to their original state.
You can access the rt.exe program from the remote command line. The program has the following syntax:
|
|
Consider these rules regarding the rt.exe program:
-
Each command indicates an action to take and each command supports different parameters.
-
Wildcards * and ? are not supported.
-
Some parameters allow partial searches that use substrings of characters that represent the start, middle, or end of a string. For example, to search for "malware", you can enter these substrings: "mal" or "ware".
-
If a command supports dumping output to a file, this is specified with
-f. -
To separate multiple items of the same type, enter the pipe character (|)
These sections describe the parameters supported by each command.
Delete Command
This command deletes the files specified with the parameters -n, -m, or -s which are in the path indicated by the parameter -p.. If the file is in use, the delete command returns an error.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-f |
--force |
Deletes files permanently. |
|
|
-r |
--restore |
Restores selected files from the Recycle Bin. |
Restores files to their original location. |
|
-p |
--path |
Absolute path from the root directory where you want to search for files to delete. The solution only deletes files in the specified path. |
|
|
-n |
--name |
Names of the files you want to delete. |
|
|
-m |
--md5 |
MD5 values of the files you want to delete. |
|
|
-s |
--sha256 |
SHA256 values of the files you want to delete. |
|
Dump Command
This command dumps to disk the memory space allocated to a system or user process.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-p |
--pid |
PID of the process to dump. |
For information on how to dump the PID of the process, go to Process Command. |
|
-s |
--system |
Kernel dump. |
Supported values:
|
|
-f |
--filename |
Name of the file that contains the dump. |
|
|
-z |
--zip |
Stores the dump in a ZIP file. |
|
Netinfo Command
Used with the -a parameter, this command shows the settings of the network interfaces installed on the computer.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-a |
--all |
Shows the settings of the network interfaces installed on the computer. |
|
|
-f |
--filename |
Name of the file that contains the data. |
|
|
-z |
--zip |
Stores the dump in a ZIP file. |
|
Pcap Command
This command captures the network traffic sent and received by the remote computer. Specify the start and end of the capture with the parameters - a start| stop. Packet capture generates temporary files on the computer so there must be sufficient hard disk space. The end result is a PCAP file that can be used directly by the Wireshark/Ethereal program.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-a |
--action |
Executes an action:
|
|
|
-m |
--maxsize |
Maximum size of the packet to capture, |
|
|
-i |
--maxtime |
Maximum capture time, |
|
|
-f |
--filename |
Name of the file that contains the data. |
|
|
-z |
--zip |
Stores the dump in a ZIP file. |
|
Ports Command
Used with the -a parameter, this command shows the sockets open on the computer and the processes that opened them.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-a |
--all |
Shows all open ports and their associated processes. |
|
|
-p |
--pid |
Filters the results by process PID. |
|
|
-n |
--name |
Filters the results by process name. |
You can type only a partial string. |
|
-f |
--filename |
Name of the file that contains the data. |
|
Process Command
Used with the -a parameter, this command shows all processes loaded in the memory of the computer and their modules.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-a |
--all |
Shows all processes loaded in the memory of the computer and their modules. |
|
|
-p |
--pid |
Filters the results by process PID, showing the process modules. |
|
|
-u |
--user |
Shows the processes launched by a user and their modules. |
|
|
-f |
--filename |
Name of the file that contains the data. |
|
Url Command
Used with the -a any parameter, this command shows all the URLs accessed by users through the remote computer’s web browser. This command requires that the Cytomic EDR web access control feature is enabled.
| Short form | Full parameter | Description | Notes |
|---|---|---|---|
|
h |
-help |
Opens command help. |
|
|
-a |
--action |
Filters the URL list by the action taken by the web access control feature.
|
|
|
-c |
--count |
Maximum number of URLs to show. |
Default value: unlimited. |
|
-g |
--category |
Filters the URL list by the category assigned by the web access control feature. |
|
|
-b |
--begindate |
Enables you to specify the start date to show visited URLs from. |
|
|
-e |
--enddate |
Enables you to specify the end date to show visited URLs up to. |
|
|
-n |
--urlpattern |
Filters URLs by substring. |
|
|
-u |
--userpattern |
Filters URLs by user. |
|
|
-f |
--filename |
Name of the file that contains the data. |
|
|
-z |
--zip |
Stores the dump in a ZIP file. |
|