© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

A great list of Carbon Black (CBR) Live Response commands

Posted by By Richard September 17, 2021 6 Min Read

Minor Update: 9/21/2021

Carbon Black Live Response is a consistently fast and reliable remote command-line tool for responding to security alerts. The same commands should also work for Carbon Black Defense. Most of these commands will work within other tools such as Microsoft Defender for Endpoint, also known as Microsoft Defender Advanced Threat Protection but may require some tweaks.

From my experience, if you can run the command within command line or PowerShell, it can be run within CBR, though some actions require slight modification

Get Information

  1. Get the version of Windows; bonus if you are on a newer version of Windows it will show you the UBR part as well which provides you insight on what cumulative update you are on. 
execfg cmd /c ver
This machine is running 21H1 with CU September 2021
  1. Get the start time of each process on a machine running Windows
execfg powershell /c Get-Process | select name,id,starttime

  1. Get the hash of a file (sha2)
    • Append “-Algorithm md5” to get the hash in MD5 format
execfg cmd /c powershell get-filehash steam.exe

  1. Get the status of Windows Defender/ATP settings
execfg cmd /c powershell Get-MpComputerStatus
execfg cmd /c execfg powershell Get-MpPreference

  1. Get logs, events or files off a machine
cd c:\windows\System32\Winevt\Logs\
get NameOfEvent.evtx

  1. Get AppLocker Events off a machine, for offline review
get Microsoft-Windows-AppLocker%4EXE and DLL.evtx

  1. Get network information from the machine
execfg cmd /c ipconfig /all

  1. Tip, to go back to start of the command line do not use “cd\” use “cd \”
cd \

Network Commands

  1. Test open ports or network connection on a remote machine 
execfg cmd /c powershell test-netconnection YourTargetHostorDNSNameHere -port 443
or
execfg cmd /c powershell test-netconnection YourTargetIPHere -port 1433
or
execfg powershell test-netconnection www.richardwalz.com -port 443

  1. Trace Route to a particular hostname, this command will take some time.
execfg cmd /c tracert YourTargetIPorHostname

  1. Overwrite the hosts file with a different record
execfg cmd /c "echo 8.8.8.8 google.com > %WINDIR%\System32\Drivers\Etc\Hosts"

  1. Append a record to the hosts file
execfg cmd /c "echo 8.8.8.8 google.com >> %WINDIR%\System32\Drivers\Etc\Hosts"

Query Machines

  1. Get list of users logged into a machine (useful for Citrix or RDS hosts)
execfg cmd /c quser

  1. Logoff a specific user
execfg cmd /c logoff [ID]

  1. Zip up a specific file and password protect it.
    • -p = password command for 7zip
    • combine this with getfile to pull the file back to your machine. Using the password on the archive ensures the contents makes it back intact and to avoid any DPI/SSL inspection you may have especially if there is malicious content in the payload.
execfg cmd /c "C:\Program Files\7-Zip\7z.exe" a C:\FileReview.7z c:\users\jdoe\downloads\ftpsetup.exe -pTopSecretPassword -mhe

  1. Zip up a folder and its contents and password protect it.
    • -p = password command for 7zip
    • combine this with getfile to pull the archive back to your machine. Using the password on the archive ensures the contents makes it back intact and to avoid any DPI/SSL inspection you may have especially if there is malicious content in the payload.
execfg cmd /c "C:\Program Files\7-Zip\7z.exe" a C:\DataReview.7z c:\users\jdoe\downloads -pTopSecretPassword -mhe

  1. Remotely Clear Cached Logons for use when a user leaves. This will prevent the user from logging in unless the machine has line of sight to the domain.
    • Isolate Device .. then run this command
    • if desired shutdown the machine
execfg cmd /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f

  1. Restart the machine in 5 minutes
execfg cmd /c shutdown -r -f -t 300

  1. Immediately Restart the machine
execfg cmd /c shutdown -r -f -t 0

  1. Immediately Shutdown the machine
execfg cmd /c shutdown -s -f -t 0

  1. Stop a service
execfg powershell /c Stop-Service -Name "spooler" -Force

  1. Start a service
execfg powershell /c Start-Service -Name "spooler"

  1. Set a service to Disabled state
exec powershell /c Set-Service –Name "spooler" –StartupType "disabled"

  1. Set a service to Enabled state
exec powershell /c Set-Service –Name "spooler" –StartupType "Automatic"

  1. Search the system for a Certificate Thumbprint
execfg cmd /c powershell dir cert: -Recurse | Where-Object { $_.Thumbprint -like "*8327FC0B2919FAB07DF761F*" }

  1. Delete a folder and its contents (this may take some time depending upon the number of files and folders)
execfg cmd /c rmdir /s /q "c:\programdata\thiscrappyapp"

  1. Delete a specific file
del c:\users\johndoe\downloads\invoice-shipping.msg

  1. Add a user to the Local Administrators Group
execfg cmd /c net localgroup administrators MyLocalUserAdmin /add

  1. Remove a user from the Local Administrators Group
execfg cmd /c net localgroup administrators MyLocalUserAdmin /delete

  1. Enable RDP remotely
execfg cmd /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
execfg cmd /c netsh advfirewall firewall set rule group="remote desktop" new enable=yes
execfg cmd /c net localgroup Remote Desktop Users TheNameOfTheUser /add

  1. List the users in the Local Administrators Group
execfg cmd /c net localgroup administrators

Tags: