EDR: How to Pull a List of Computers and Tamper Protection Passwords
Article ID: 287928
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
How to get a list of computers and their associated tamper protection passwords
Environment
- EDR Server: 7.4 and higher
- EDR Windows Sensor: 7.2 and higher
- Windows 10 v1703 (Desktop) and higher
- Windows Server 2016 v1709 (Windows build 15163) and higher
Resolution
- Log into the EDR server terminal session
- Run the following command to create a csv report
psql -p 5002 cb -c "COPY(SELECT sr.computer_name, sr.id, sg.name as sensor_group, tp.password, ss.last_checkin_time FROM sensor_groups sg JOIN tamper_protection_history tp ON sg.id = tp.group_id JOIN sensor_registrations sr ON sr.group_id = tp.group_id JOIN sensor_status ss ON ss.id = sr.id WHERE ss.last_checkin_time >= current_timestamp -(interval '24 hour') ORDER BY sr.computer_name) to '/tmp/tamper_report.csv' with CSV HEADER"
Additional Information
- Duplicates may be seen, this can mean there were duplicate computer name entries with different sensor id's or a new tamper password was generated for the sensor group the sensor was changed into, in that case each password associated with the sensor id should be tried.
- If a sensor was moved into another group but did not check in with the server, the password will not be correct in this report. Try the other sensor group passwords if you do not know the last group the sensor resided in.
- If a sensor group was deleted, the history for the tamper passwords is removed.
- If the tamper passwords do not work or have been removed due to a deleted group, please follow these EDR: Tamper Protection Password History is Currently Removed when the Group is Deleted
Feedback
Yes
No
Powered by
