Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Environment

Carbon Black Cloud Sensor: 3.3.x.x and higher
Carbon Black Cloud Console: All versions
Microsoft Windows: All supported versions

Objective

Access the RepCLI utility during a Live Response session

Resolution

Initiate a Live Response session from the Console (Endpoints > Go Live)
Change directory repcli.exe location or format commands with the full path
```
cd C:\Program Files\Confer
```
Preface repcli commands with "execfg"
```
execfg repcli status
```

Additional Notes

The Live Response session runs on the local machine as Local System
The Windows Local System SID will need to be authenticated to provide full RepCLI access
The Windows System SID is S-1-5-18

This can be confirmed within the LR session

execfg whoami /user

User Name             SID 
===================   ======== 
nt authority\system   S-1-5-18

3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
- One caveat for 3.5.x.x - 3.7.0.1253 Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
- The above caveat is resolved in 3.7.0.1411 and higher Sensor versions

Related Content

Security identifiers (Windows 10) - Windows security
https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Which-RepCLI-Commands-are-Available-t...
Carbon Black Cloud: How to Enable Authentication for RepCLI Utility During Sensor Install
Carbon Black Cloud: How to Enable RepCLI Authentication on Existing Sensors

Article Information

Author:

Creation Date:

‎09-09-2020

Views:

10436

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.