← Back to Blog

September 6th, 2023

Developer Roll Up: August 2023

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
blog post header image

It has been an incredibly busy month for the team at LimaCharlie. We have released several powerful new features and made many improvements to existing functionality. It was also notable for having the largest pure-play cybersecurity company come out to state that they share a vision similar to our SecOps Cloud Platform.

MSSN CTRL is a cybersecurity conference that will focus on innovative methods that are changing the way security has been practiced over the past decade.

The two-day conference will host highly technical speakers and training sessions representing innovative cybersecurity start-ups to Fortune 50 SOC teams.

The conference is taking place in Arlington, VA on October 5-6, and there are still tickets available. You can learn more and register at mssnctrl.org.

Welcome to Loud & Clear, LimaCharlie’s webinar and training series, directed at helping folks understand how to utilize some of the key features and capabilities of the LimaCharlie platform.

In our September session, we’ll look at how to best use LimaCharlie’s schedule-driven detection & response rules. Schedule-driven events allow you to utilize D&R rules to help automate information collection and other organization-specific operations. They can also be critical to gathering health details from your organization, allowing for easy package enumeration or sensor health checks.

Register here for the webinar, live on September 20, 2023 at 10:00AM PDT / 1:00PM EST.

EDR Sensor 4.28.2 & 4.28.3

The team has made some big improvements to the LimaCharlie EDR Sensor and made two updates in the month of August.

  • Fixing an issue that can lead to some files being skipped by dir_find_hash

  • Fixing an issue where custom Exfil Watches could result in small memory leak

  • Enable reporting from the sensor to the cloud for some enrollment errors to assist in troubleshooting complex environments.

  • Fixing a crash on some cases where a duplicate tasking is emitted by the cloud

  • Log the human-readable version of SSL/network failure codes in Payload execution and Artifact collection to help troubleshoot networking issues

  • Expand Windows root CAs leveraged during non-pinned network connections, which should reduce cases where Windows Servers have issues with Google certs

New MFA option - Authenticator App

In this release, we are expanding our list of Multi-factor authentication (MFA) options. In addition to the SMS-based MFA, LimaCharlie now supports TOTP (Time-based, One-Time Password) generated by the Authenticator apps.

Multi-factor authentication using Authenticator apps is known to be a stronger method of protection than the SMS-based MFA.

To get started with the new MFA method, navigate to the Manage User Settings option in the web app and choose Add Multi-Factor Authentication. You may be required to re-log into your LimaCharlie account before you can proceed.

Lookup of the Living Off the Land feed from loldrivers.io

The team at LimaCharlie has added a new extension - loldrivers.

Once subscribed, this extension will create and update a lookup named loldrivers which can be referenced with hive://lookup/loldrivers in a D&R rule like:

op: lookup

event: CODE_IDENTITY

path: event/HASH

resource: hive://lookup/loldrivers

Announcing LimaCharlie Extensions

Announcing the launch of LimaCharlie Extensions. LimaCharlie Extensions were built as a logical evolution of the LimaCharlie Services. Having taken into consideration our learnings from building services, the Extensions were designed to offer:

  • Better UX for users interacting with an Extension

  • Simpler code and infra which results in better performance

  • Better developer UX

Extensions in LimaCharlie provide a framework to allow anyone to integrate and augment capabilities in the LimaCharlie Cloud.

Extensions are defined globally across all LimaCharlie data centers. To use an Extension, an Organization must subscribe to it. Once subscribed, users and automation components within the Organization can start interacting with the Extension.

Each Extension has a set of permissions associated with it. Once subscribed, the Extension is granted those permissions on the Organization. Some Extensions can also impersonate the caller to perform some actions.

Any User (called Owners) can create an Extension, but those can only be "private", meaning only Organizations where the Owner has the billing.ctrl and user.ctrl permissions can subscribe to the Extension. To make an Extension "public" (where anyone can subscribe to it), first create your private Extension and once ready, reach out to LimaCharlie answers@limacharlie.io.

To learn more about the usage of Extensions, check out our technical documentation.

Introducing BinLib: Your private binary library

Introducing the newest feature to LimaCharlie: Binary Library, or “BinLib”.

This feature has only been available for a couple of weeks; however, BinLib is already reshaping how organizations can track execution history within their given environment, detect malicious binaries, and perform cross-platform analysis and hunting of binary files. BinLib even includes YARA scanning, allowing you to scan for the “unknown” using defined signatures.

Here’s a video walkthrough of some of the BinLib features. You can also check out the blog post and docs.

OpenSearch Output

We've added the OpenSearch Output which makes it even easier for LimaCharlie users to send their events, detections & telemetry to OpenSearch.

Copyright © LimaCharlie 2025