Files
A regular Windows filelisting. artemis uses the
walkdir crate to recursively walk the files
and directories on the system. If hashing or PE parsing is enabled this will
update the Last Accessed timestamps on files since the native OS APIs are used
to access the files and it will fail on any locked files. Use
RawFiles to bypass locked files.
The standard Rust API does not support getting Changed/Entry Modified
timestamp on Windows. Use RawFiles to include the
Changed/Entry Modified timestamp.
Since a filelisting can be extremely large every 100k entries artemis will
output the data and then continue.
Other Parsers:
- Any tool that can recursively list files and directories
References:
- N/A
TOML Collection
system = "windows"
[output]
name = "files_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"
[[artifacts]]
artifact_name = "files" # Name of artifact
[artifacts.files]
start_path = "C:\\Windows" # Where to start the listing
# Optional
depth = 1 # How many sub directories to descend
# Optional
metadata = true # Get PE metadata
# Optional
md5 = true # MD5 all files
# Optional
sha1 = false # SHA1 all files
# Optional
sha256 = false # SHA256 all files
# Optional
path_regex = "" # Regex for paths
# Optional
file_regex = "" # Regex for files
Collection Options
start_pathWhere to start the file listing. Must exist on the endpoint. To start at root useC:\\. This configuration is requireddepthSpecify how many directories to descend from thestart_path. Default is one (1). Must be a postive number. Max value is 255. This configuration is optionalmetadataGet PE data fromPEfiles. This configuration is optional. Default is falsemd5Boolean value to enable MD5 hashing on all files. This configuration is optional. Default is falsesha1Boolean value to enable SHA1 hashing on all files. This configuration is optional. Default is falsesha256Boolean value to enable SHA256 hashing on all files. This configuration is optional. Default is falsepath_regexOnly descend into paths (directories) that match the provided regex. This configuration is optional. Default is no Regexfile_regexOnly return entres that match the provided regex. This configuration is optional. Default is no Regex
Output Structure
An array of WindowsFileInfo entries
export interface WindowsFileInfo {
/**Full path to file or directory */
full_path: string;
/**Directory path */
directory: string;
/**Filename */
filename: string;
/**Extension of file if any */
extension: string;
/**Created timestamp in UNIXEPOCH seconds */
created: number;
/**Modified timestamp in UNIXEPOCH seconds */
modified: number;
/**Changed timestamp in UNIXEPOCH seconds */
changed: number;
/**Accessed timestamp in UNIXEPOCH seconds */
accessed: number;
/**Size of file in bytes */
size: number;
/**Inode associated with entry */
inode: number;
/**Mode of file entry */
mode: number;
/**User ID associated with file */
uid: number;
/**Group ID associated with file */
gid: number;
/**MD5 of file */
md5: string;
/**SHA1 of file */
sha1: string;
/**SHA256 of file */
sha256: string;
/**Is the entry a file */
is_file: boolean;
/**Is the entry a directory */
is_directory: boolean;
/**Is the entry a symbolic links */
is_symlink: boolean;
/**Depth the file from provided start poin */
depth: number;
/**PE binary metadata */
binary_info: PeInfo[];
}