Skip to main content
Executes a RTR active-responder command on the given host. Note that an active session for the host is required - you can use the Create Batch Session action for the wanted host. Use this endpoint to run these real time response commands:
  • cat
  • cd
  • clear
  • cp
  • encrypt
  • env
  • eventlog
  • filehash
  • get
  • getsid
  • help
  • history
  • ipconfig
  • kill
  • ls
  • map
  • memdump
  • mkdir
  • mount
  • mv
  • netstat
  • ps
  • reg query
  • reg set
  • reg delete
  • reg load
  • reg unload
  • restart
  • rm
  • runscript
  • shutdown
  • unmap
  • update history
  • update install
  • update list
  • update query
  • xmemdump
  • zip
External DocumentationTo learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Base CommandActive-Responder command type we are going to execute, for example: get or cp.
Refer to the RTR documentation for the full list of commands.
Command StringCommand’s input. For example get some_file.txt.
Session IDThe ID of the RTR Session to run the command on. You can find the Session ID in the response of the Create Batch Session action for the wanted host.

Example Output

{
	"meta": {
		"query_time": 1,
		"powered_by": "<string>",
		"trace_id": "<string>"
	},
	"resources": [
		{
			"session_id": "<string>",
			"cloud_request_id": "<string>",
			"queued_command_offline": false
		}
	],
	"errors": null
}

Workflow Library Example

Run Command on a Single Host with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop