Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to troubleshoot issues running authenticated RepCLI commands (Windows)

Carbon Black Cloud: How to troubleshoot issues running authenticated RepCLI commands (Windows)

Environment

  • Carbon Black Cloud (formerly Predictive Security Cloud or PSC)Console: All Versions
    • CB Defense
    • CB ThreatHunter
  • PSC Sensor: 3.3.x.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

Provide steps to determine issue with trying to run authenticated commands using RepCLI for the Windows Sensor
Example error:
Error: You are not authorized to run this command
Command failed, RepMgr encountered an error while processing command

Resolution

  1. Connect to endpoint
  2. Launch cmd.exe
  3. Verify the SID currently set for authenticated RepCLI commands
    find "AuthenticatedCLIUsers" "<insert cfg.ini file path>"
  4. Verify the SID of the user and the groups to which they belong
    whoami /user /groups
  5. Compare the SID from step 3 to those shown in step 4

Additional Notes

  • A mismatch between the SIDs from steps 3 and 4 is the cause of not being authorized to run RepCLI commands requiring authentication
  • If the user trying to run an authenticated RepCLI command does not match the AuthenticatedCLIUsers field in the cfg.ini file, that user will not be authorized to run such commands
  • The SID specified in the AuthenticatedCLIUsers field (cfg.ini) can either be for a single User account, or for a Group to which the user belongs
  • As authenticated RepCLI commands allow for placing a Sensor into Bypass, re-registration with the backend, etc., it is not advised to use SIDs of insecure Groups and/or Users

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
23901
Contributors