Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Access RepCLI with Live Response

Carbon Black Cloud: How to Access RepCLI with Live Response

Environment

  • Carbon Black Cloud Sensor: 3.3.x.x and higher
  • Carbon Black Cloud Console: All versions
  • Microsoft Windows: All supported versions

Objective

Access the RepCLI utility during a Live Response session

Resolution

  1. Initiate a Live Response session from the Console (Endpoints > Go Live)
  2. Change directory repcli.exe location or format commands with the full path
    cd C:\Program Files\Confer
  3. Preface repcli commands with "execfg"
    execfg repcli status

Additional Notes

  • The Live Response session runs on the local machine as Local System
  • The Windows Local System SID will need to be authenticated to provide full RepCLI access
  • The Windows System SID is S-1-5-18
  • This can be confirmed within the LR session
    execfg whoami /user
    
    User Name             SID 
    ===================   ======== 
    nt authority\system   S-1-5-18
  • 3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
    • One caveat for 3.5.x.x - 3.7.0.1253 Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
    • The above caveat is resolved in 3.7.0.1411 and higher Sensor versions

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
3293
Contributors