Environment
- Carbon Black Cloud (formerly Predictive Security Cloud or PSC)Console: All Versions
- CB Defense
- CB ThreatHunter
- PSC Sensor: 3.3.x.x and Higher
- Microsoft Windows: All Supported Versions
Objective
Provide steps to determine issue with trying to run authenticated commands using RepCLI for the Windows Sensor
Example error:
Error: You are not authorized to run this command
Command failed, RepMgr encountered an error while processing command
Resolution
- Connect to endpoint
- Launch cmd.exe
- Verify the SID currently set for authenticated RepCLI commands
find "AuthenticatedCLIUsers" "<insert cfg.ini file path>"
- Verify the SID of the user and the groups to which they belong
whoami /user /groups
- Compare the SID from step 3 to those shown in step 4
Additional Notes
- A mismatch between the SIDs from steps 3 and 4 is the cause of not being authorized to run RepCLI commands requiring authentication
- If the user trying to run an authenticated RepCLI command does not match the AuthenticatedCLIUsers field in the cfg.ini file, that user will not be authorized to run such commands
- The SID specified in the AuthenticatedCLIUsers field (cfg.ini) can either be for a single User account, or for a Group to which the user belongs
- As authenticated RepCLI commands allow for placing a Sensor into Bypass, re-registration with the backend, etc., it is not advised to use SIDs of insecure Groups and/or Users
Related Content
