To access an endpoint using Live Response, a user must either have Carbon Black EDR Global Administrator or Carbon Black Hosted EDR Administrator privileges, or be on a team with the Analyst role for that endpoint. A session must first be created with the sensor. A session indicates that the sensor is connected to the Carbon Black EDR server to receive real-time commands.

Sessions are created and attached automatically when you click the Go Live button on the Sensor Details or Process Analysis pages. If you enter the Live Response console using the Go Live command from the console menu, access to an endpoint requires that you first create and attach a session:

session new [sensor_id]
attach [provided_session_id]

You can have sessions that have multiple sensors active at the same time. Use the detach command to detach from a session but leave it active.

Use the session close command to end a session with the sensor. Sessions will timeout when they are not attached and active for five minutes.

Each session has a unique numeric ID. Up to 10 sessions can be running at one time, and multiple users can be attached to the same session.

Note:

More than one Carbon Black EDR console user can attach to the same session with an endpoint at the same time. If more than one user submits a command through the session at approximately the same time, each command must finish executing before the next one can begin. Also, one user can undo or otherwise modify what another user is doing. Consider this if more than one user has Live Response access to an endpoint.

The following table shows the complete set of Live Response commands. In the descriptions, remote host refers to the host that is being accessed through Live Response, and local host refers to the host on which the user is running the Carbon Black EDR console. These commands are all run in the SYSTEM context.

Command

Description

archive

Obtain an archive (gzip tarball) of all the session data for this session, including commands run and files downloaded.

The archive is downloaded to the computer on which you are running the Carbon Black EDR console by using the browser’s download method.

argparse

Test how Live Response parses CLI arguments. This command helps determine if there are any interpretation issues. For example, it can reveal whether spaces or other special characters are properly escaped.

cd [dir]

Change the current working directory. Options include absolute, relative, drive-specific, and network share paths.

clear

Clear the console screen; the cls command can also be used for this purpose.

delete [path]

Delete the file specified in the path argument. The file is permanently deleted, not sent to the Recycle Bin.

detach

Detach from the current Live Response session. If a session has no attachments, it remains live until it times out (five minutes by default).

dir

Return a list of files in the current directory or the specified directory if it is added to the command, (for example, dir c:\temp or dir /tmp )

drives

List the drives on the remote host. This is for Windows only.

exec[processpath]

Execute a background process specified in the processpath argument on the current remote host. By default, process execution returns immediately and output is to stdout and stderr.

Options may be combined:

  • exec-o outputfile processpath – Redirect the process output to the specified remote file, which you can download.

  • exec-w processpath – Wait for the process to exit before returning.

You could combine the options as shown in the example below to execute and capture the output from a script:

exec-o c:\output.txt -w c:\scripts\some_script.cmd

You must provide the full path to the process for the processpath argument. For example:

c:\windows\system32\notepad.exe

execfg [processpath]

Execute a process on the remote host and return stdout/stderr.

For example, this command prints the output of ipconfig to the screen:

execfg c:\windows\system32\ipconfig /all

files [-s session] [action] [option]

Perform actions over cache-stored session files.

All files transferred to/from an endpoint with every Live Response session are cached on the server for a period of time after a session is closed. If there is an interruption in the connection between a user's browser and the Carbon Black EDR server, files can be retrieved directly from the cache instead of connecting to the sensor again.

This command is valid in both the global and session scopes when attached to a sensor. In the global scope, the session ID must be defined with -s .

A list of sessions is available through the sessions command. If attached to a sensor, the current session is assumed unless otherwise specified.

There are three available actions:

  • list – List all the cached files that are available in the specified session by file ID.

  • get [id] – Get the file [id] from the cache.

  • delete [id] – Remove the file [id] from the cache.

get [path]

Obtain the file specified in the path argument from remote host and download it to the host running the Carbon Black EDR console for this session. Progress of the download is indicated in the Live Response window as described in Live Response Status, Error, and Progress Messages.

help

Show the Live Response session commands with a brief description of each. If a command name is added, show the description of the specified command, with additional details (such as options) if available. For example:

help dir

hexdump

Output the first 50 bytes of the file in a hexdump format.

kill

Terminate the specified process.

memdump [filepath]

Take a full system memory dump and store it to the given file path, which must include a file name. When the memory dump is completed, it is automatically compressed and uploaded to the server. If you name the file with a .zip extension, it will be uploaded using the file name you provided. Otherwise, Live Response will append .zip to the name you provide. Once uploaded, the .zip file can be downloaded through the Carbon Black EDR console.

Memory dumps can take several minutes. Progress is indicated in the Live Response window as described in Live Response Status, Error, and Progress Messages.

The memdump command is for Windows hosts only.

mkdir

Make a directory on the remote host.

ps

Obtain a list of processes from the remote host.

In the output from this command, the listing for each process includes an Analyze link. Clicking the link opens the Process Analysis page for the process.

Note that analysis information for a newly discovered process might not yet be fully committed to the Carbon Black EDR database and therefore not viewable.

Clicking the link navigates away from the Live Response console and loses whatever context you had there.

put[remotepath]

Put a file from the host on which the console is being run onto the remote host at the specified path. You specify the file in the Open dialog of the browser, after the command is entered in Live Response. Progress of the upload is indicated in the CBLR console as described in Live Response Status, Error, and Progress Messages.

pwd

Print the current working directory.

reg

View or modify Windows registry settings. The syntax of this command is:

reg[action] [key] [options]

See Registry Access in Live Response or use help reg in the Live Response command window for details.

This command is for Windows only.

As shown in the preceding table, some commands provide information and others allow you to modify an endpoint.

Note:

Be sure to use the commands and options as documented here. Although some of the Live Response commands are the same as commands in the DOS command interface, the available options are specific to Live Response.