Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Access RepCLI Utility

Carbon Black Cloud: How to Access RepCLI Utility

Environment

  • Carbon Black Cloud Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

Access RepCLI utility

Resolution

  1. Log into the machine with a user account that matches the AD User or Group SID configured at the time of sensor install
  2. Launch a admin Command Prompt
  3. Run Commands:
    cd C:\Program Files\Confer 
    C:\Users\admin_user> cd C:\Program Files\Confer
    C:\Program Files\Confer>
  4. Enter the "repcli" command with no options to view the list of available RepCLI command options 
    C:\Program Files\Confer> repcli
    
    RepCLI is a command line debugging tool that interacts with the CbDefense service
    ---------------------------------------------------------------------------------
    addpolicy       <json filename>| Add specified policy to repmgr
    addnav2policy   <json filename>| Add specified Nav2 policy to repmgr
    bypass          1|0| Enables or disables bypass mode
    capture         | Create diagnostic capture
    certfind        <publisher>| Searches for files with specified publisher pattern
    cloud           <request>| Tells sensor to send a cloud request
    counters        | Print diagnostic counters
    debug           1|0| Enabled or disables debug mode
    deletepolicies  | Delete all policies
    deletepolicy    <guid>| Delete policy matching guid
    deletepolicyindexed <index>| Delete policy with guid matching index in the order displayed by "querypolicyguids" (index starts at 0)
    deviceid        | Query sensor device id
    displayevents   -count [limit events displayed to number] -stream [CbEvent{Bin|Json|PrettyJson|PscProtobuf|PscJson|PscPrettyJson}] -norule [GUID of rule to exclude from output] -initiator [filename of process to watch] -target [file|process|registry|modload|network]| Display PSC-R events reported from repmgr. All arguments are non positional and optional, no arguments will display canonical JSON events until keyboard interrupt
    
    fileaccess      <access_level> [full_path]| Sets file-access to specified access level for file(s) being tracked by RepMgr.
    find            <filename|hash>| Searches for <filename> or <hash> in the file cache
    forcebatch      | Forces an event batch to be sent even if event quota has not been met
    getbatchconfig  | Get current configuration for PSCR event batch archiver
    getruleslog     | Display the contents of Nav2Rules.GetLogs()
    kerneltrace     <level> [flags]| Enables kernel logging at specified level
    lastLiveQueryTime [{relativeTimeBeforeNow}{s|m|h|d}|{TimestampInSeconds}]| Get (if no arg) or set last LiveQuery time
    LqIoFiles       1|0| 1- Keep around the LiveQuery InOut Files. 0- (regular functionality) delete the InOut Files
    NotifySvcStable | Notify driver the service is stable
    OnDemandScan    [directory]| Starts a background scan
    process         <pid>| Query process information
    queryrules      | Display all rules
    queryruleguids  | Display GUIDs for all rules
    querypolicyguids | Display GUIDs for all policies
    resetcounters   | Reset diagnostic counters
    setbatchconfig  -ti [time interval max (s)] -as [archive size max (kB)] -tas [total archives size max (kB)] -hu [archiver heap usage max (kB)]| All arguments are non positional and optional, no arguments will reset archiver config to defaults.
    status          | Display Sensor Status
    suppressrules   1|0 [noreload]| Enable/disable rule based event suppression. Will reload rules from datafile4 unless noreload is set
    UpdateAvSignature | Trigger an AV signature update
    UpdateConfig    | Causes RepMgr to read updated values from cfg.ini
    version         | Display product version
    ---------------------------------------------------------------------------------

Additional Notes

  • Authentication is not required for all commands 
  • Active Directory-based SID authentication provides full access to RepCLI commands

Related Content


Was this article helpful? Yes No
72% helpful (5/7)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
22289
Contributors