How to Access RepCLI with Live Response
Article ID: 288873
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Access the RepCLI utility during a Live Response session
Environment
- Carbon Black Cloud Sensor: 3.3.x.x and higher
- Carbon Black Cloud Console: All versions
- Microsoft Windows: All supported versions
Resolution
- Initiate a Live Response session from the Console (Endpoints > Go Live)
- Change directory repcli.exe location or format commands with the full path
cd C:\Program Files\Confer
- Preface repcli commands with "execfg"
execfg repcli status
Additional Information
- The Live Response session runs on the local machine as Local System
- The Windows Local System SID will need to be authenticated to provide full RepCLI access
- The Windows System SID is S-1-5-18
- This can be confirmed within the LR session
execfg whoami /user User Name SID =================== ======== nt authority\system S-1-5-18
- 3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
- One caveat for 3.5.x.x - 3.7.0.1253 Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
- The above caveat is resolved in 3.7.0.1411 and higher Sensor versions
Feedback
Yes
No
Powered by
