Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI

Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI

Environment

  • Carbon Black Cloud Sensor: 3.5.0.1523 and higher
  • Microsoft Windows: All supported versions 

Objective

Use RepCLI to generate a live memory dump 

Resolution

  1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI authentication 
  2. For Windows 7 and 8.0 Machines, proceed to next steps.  For Windows 8.1 and higher (including Windows 10), enable kernel debug logging prior to next steps. 
  3. Launch a Command Prompt
  4. Run commands:
    cd C:\Program Files\Confer
    repcli unlock <uninstall-code>
    repcli LiveMemDump
  5. The following results will print to the command line
    DebugHandler::LiveMemDump: Successfully created live memory dump file: c:\Program Files\Confer\RepCLI_MemDump.dmp
    Successfully set FileSecurity::DEFAULT_PRIVILEGE_LEVEL on the file
    
  6. RepCLI_MemDump.dmp can now be gathered with Sensor logs through the support console
  7. To manually access or later delete the RepCLI_MemDump.dmp file, the file permissions must be relaxed with the following command
    RepCLI FileAccess Relaxed
  8. The following results will print to the command line
    Successfully set file access for all 1 tracked files.
     Result List:
      File: c:\Program Files\Confer\RepCLI_MemDump.dmp -- Effective PrivilegeMask: USERS, ADMINS, SYSTEM
  9. If manually gathering the dump file, please compress prior to uploading to CBvault
  10. Disable Kernel debug logging on Windows 8.1 and higher to prevent performance and disk space issues

Additional Notes

  • The live memory dump will generate a full memory dump (depending on OS configuration) without crashing the system
  • For Windows 7 and 8.0, both kernel and user memory are included in the dump (that is considered a full memory dump)
  • For Windows 8.1 and higher (including Windows 10), live dumps require Kernel debugging to be enabled for a full memory dump (only kernel memory will be dumped unless debugging is enabled)
  • Memory dump size will vary when gathering a live dump
  • Windows 7 live memory dumps are typically larger than the total RAM
  • Windows 10 live memory dumps are typically smaller than total RAM
  • If the LiveMemDump command is run before a previous LiveMemDump command completes, the command will print a failure message to the command line

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎08-25-2020
Views:
3133
Contributors