topic Re: File retrieval in user context in Cortex XDR Discussions

File retrieval in user context

Arman_Zaheri — Mon, 24 Feb 2025 15:39:16 GMT

Hello,

Is it possible to retrieve a file which is only accessible in user's context? I have an incident which user opened a file from a network mapped drive. That drive might not be accessible by anyone except for the user.

Which user context is used when we initiate File retrieval via:

1. Cortex console or an agent script

2. Live terminal

Thank you very much

Re: File retrieval in user context

Mudhireddy — Mon, 24 Feb 2025 18:28:13 GMT

Yes, retrieving a file that is only accessible in the user’s context (such as a network-mapped drive) using Cortex XDR can be challenging because the XDR agent runs as SYSTEM, which may not have access to the user’s mapped drives. However, there are workarounds to retrieve the file:

1. Use Live Terminal (Best for Interactive Access)
If the user is online, the best method is to use Live Terminal to access the user's session and retrieve the file.

Steps:

Go to Cortex XDR → Response → Live Terminal
Select the affected endpoint.

Run the following PowerShell command to check the user’s network drives:
powershell
Get-PSDrive -PSProvider FileSystem

This will list the user’s mapped network drives (e.g., Z:\).

Copy the file from the network drive to a local path that XDR can access:
powershell
Copy-Item "Z:\path\to\file.txt" -Destination "C:\Temp\file.txt"
Use File Fetch (see Method 2) to retrieve the file from C:\Temp

Re: File retrieval in user context

Arman_Zaheri — Mon, 24 Feb 2025 18:37:19 GMT

Thanks for your response. Two questions regarding live terminal:

1. I checked live terminal before, it's also running under SYSTEM. But I'll check this again to make sure.

2. Assuming this statement is true, how can we automate this retrieval? The endpoint might not be online at the moment.

BR,