Carbon Black Cloud: How to Access RepCLI with Live Response
search cancel

Carbon Black Cloud: How to Access RepCLI with Live Response

book

Article ID: 288873

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Access the RepCLI utility during a Live Response session

Environment

  • Carbon Black Cloud Sensor: 3.3.x.x and higher
  • Carbon Black Cloud Console: All versions
  • Microsoft Windows: All supported versions

Resolution

  1. Initiate a Live Response session from the Console (Endpoints > Go Live)
  2. Change directory repcli.exe location or format commands with the full path
    cd C:\Program Files\Confer
  3. Preface repcli commands with "execfg"
    execfg repcli status

Additional Information

  • The Live Response session runs on the local machine as Local System
  • The Windows Local System SID will need to be authenticated to provide full RepCLI access
  • The Windows System SID is S-1-5-18
  • This can be confirmed within the LR session
    execfg whoami /user
    
    User Name             SID 
    ===================   ======== 
    nt authority\system   S-1-5-18
  • 3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
    • One caveat for 3.5.x.x - 3.7.0.1253 Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
    • The above caveat is resolved in 3.7.0.1411 and higher Sensor versions