← Back to Blog

Developer Roll Up: January 2023

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
This week in cybersecurity news:

> Microsoft has started blocking the execution of XLL add-ins downloaded from the Internet.
> The hacking group DragonSpark is leveraging Golang source code interpretation to evade detection.
> Threat actors are turning to Sliver to replace more popular frameworks Cobalt Strike and Metasploit.
> Over 4,500 WordPress sites have been hacked and Emote malware makes a comeback.
> Emotet is back with new evasion techniques in MS Excel.

The team at LimaCharlie is heading into 2023 with a pace of development that is unprecedented in the history of the company. This month's roll-up has too many new features and capabilities to summarize here - please see below for all the new goodness. Earlier this month, key members of the team got together to reflect on the progress we made in 2022 and pontificate on what we hope to accomplish in 2023. If you missed it, you can watch that talk below.

On February 28th, will be officially introducing our new query language which makes leveraging historical telemetry and investigating across your entire fleet a breeze. If you want to join us for this educational and interactive session, please sign up below.

limacharlie.io/webinar


Announcing LimaCharlie demo tenant configuration

We want to make it easier for users new to LimaCharlie to get started with the product and to understand what our approach can enable. We have always made it easy to create an account without having to attend a mandatory sales demo, and provided free training and documentation.

In this release, we are introducing the ability to apply a demo configuration to the LimaCharlie tenant. Adding the Demo Tenant Configuration will onboard a demo sensor, generate detections, and enable a variety of features so that users new to LimaCharlie can easily explore its functionality.

Give it a try and tell us what you think - we are always looking for feedback and ideas to keep improving the product. If you are new to LimaCharlie, we would love to hear about your experience and what we can do better.

JSON Web Token Generation for LimaCharlie API

In a continuous effort to make our infrastructure faster and more reliable, we've begun migrating the API endpoint where you can generate JWTs for the LimaCharlie API.

Historically, the endpoint was https://app.limacharlie.io/jwt, but this implementation had scaling and reliability issues.

A new, better version of this endpoint now lives at https://jwt.limacharlie.io, it supports the exact same interaction as the previous implementation did. This means you can simply search and replace the URL value and things will work the same.

The old version will remain in place for a long time, but we strongly encourage you to use and move to the new implementation when it's convenient to you.

The Python and Go SDKs / CLI have already begun their migration, so the only cases that might require manual intervention on your part are the ones where you use the LimaCharlie API directly yourself.

LimaCharlie Query Language

We're happy to introduce the LimaCharlie Query Language (LCQL) in Beta.

LCQL allows you to query through your data in the LimaCharlie retention more easily and flexibly. It also enables several new useful features:

  • Dryrun mode to get estimates of data being queried.

  • Paged queries, so querying for data over a long period of time is not all done at once, giving you the opportunities to get results without incurring the cost of the full query.

  • Event name and event element tab-completion. You don't have to remember the event names or paths to all the elements you want to query.

  • Querying, projection (only report specific values from matching elements) and aggregation (count, count_unique).

  • Display underlying D&R rules generated for the query, making it easier to use LCQL to prototype D&R rules.

For the Beta, the LCQL interface is limited to the LimaCharlie CLI (pip install limacharlie), but this capability will be built directly in the web interface in the future. Join our upcoming webinar to learn more: limacharlie.io/webinar

To launch the LCQL interface, install the LimaCharlie CLI and use: limacharlie query to launch the interactive mode.

This feature is built on top of the Replay feature and shares billing.

Documentation is also available here: https://doc.limacharlie.io/docs/documentation/b0915c7a5f598-lima-charlie-query-language

Sensor 4.27.4

The latest release of the LimaCharlie endpoint sensor involves many improvements and bug fixes.

  • more detailed crash reporting

  • on crashes, a minidump is generated on Windows in c:\windows\system32\hcpmd.dmp

  • expand the list of packages returned on Windows for os_packages

  • fixed a crash on Windows during services listing.

  • log the sensor's OID and SID on sensor startup in STDOUT and in the local on-disk log. This will be useful to troubleshoot mis-enrolled sensors.

  • fixed bug where relevant file not reported in Yara scan.

Announcing integration with SnapAttack

LimaCharlie is excited to announce integration with SnapAttack. This integration converts select high-fidelity SnapAttack Community Edition detection logic into LimaCharlie D&R rules which can be applied to your tenant in one click.

SnapAttack Community Edition includes access to open source intelligence objects and behaviorally-oriented detections developed by SnapAttack threat research team as well as popular community tools, such as Atomic Red Team and Sigma. The ruleset contains high-confidence detections for most platforms that have been verified against true positive data by the SnapAttack’s threat detection team.

Similar to how it works with Sigma and Soteria rulesets, you can enable or disable individual SnapAttack rules, and replay them against historical telemetry.

To learn more, check out this help article: How can I use SnapAttack Community Edition in LimaCharlie?

To learn more about SnapAttack and their Enterprise Edition, visit https://www.snapattack.com/

Cloned Sensor De-Duplication

This is to let you know we've introduced a new action available in D&R rules to make it easier to re-enroll sensors that are from cloned sensors.

The new action is re-enroll, see the example: https://doc.limacharlie.io/docs/documentation/22ae79c4ab430-examples-detection-and-response-rules#de-duplicate-cloned-sensors

Announcing new LimaCharlie web app navigation

We are excited to announce the new navigation in the LimaCharlie web app. For over a year, we have been talking to many of our users, gathering feedback to understand how people navigate the product, what we can communicate better, and how different functionality is used.

We have reorganized the web application to better reflect the LimaCharlie approach to security and to be more in line with what users expect from the security infrastructure offering.

The new navigation can be enabled in user settings. Note: if you are using multiple devices, you may be prompted to make this switch on each of them separately.

We know it takes time to switch to a new UI, so we put our users in control of when they want to do it. This is a big change that will affect all users, so we are looking for feedback and ideas about the new navigation. After this update, there are no plans for any other radical navigation changes in the near future.

Sunsetting legacy web app navigation

The legacy navigation will be sunset on February 24th, 2023. Please make sure to test the new navigation and make a switch before February 24th to get ahead of the upcoming change.

Updated web app experience for Reliable Tasking and Sensor Cull

As we are continuously looking for ways to make LimaCharlie easier to use, we have updated the web app experience for Reliable Tasking and Sensor Cull. Users can now submit tasks for sensors and manage sensor cull rules in an easier and more friendly way.

Ability to enable and disable Detection and Response rules in bulk

LimaCharlie has added the ability for users to enable/disable Detection and Response rules in bulk. Select multiple (or all) rules at once, go to “select operation” > “enable/disable selected”. Depending on the number of rules in the organization, it may take a few seconds to a minute to complete. You can leave the page - it will not impact the progress.

Updated web app experience for False Positive rules, Replay cost estimate, the ability to download tenant configuration & other enhancements

We've got several big and small enhancements coming out this release:

  • The web app experience managing False Positive rules now mirrors that of D&R rules. Users are able to enable/disable individual FP rules, see who created and last edited each rule, manage tags and more.

  • Users can now estimate the cost of replaying a detection & response rule before running the replay. This makes the cost of using replay even more predictable and transparent.

  • The “Templates” page under Organization Settings has been renamed to “Infrastructure as code”. Additionally, we have optimized the “Modify Existing” tab to load significantly faster, and added the ability to download the Org Configuration in JSON.

  • Styling of the File and Integrity Monitoring page has been aligned with that of YARA. “Updated date” and “updated by” are now visible for all FIM rules.

For those looking to manage access to various parts of LimaCharlie on a more granular level, we now support decoupling the value of secrets from their usage in various configurations. You can learn about how it works in the technical documentation.

Announcing scheduled jobs in LimaCharlie

In this release, we are excited to announce the ability to schedule jobs in LimaCharlie. This enables use cases such as scheduling commands to endpoints or service requests.

Scheduling is done by creating a D&R rule with a target: schedule, and defining the desired response (task, service request, etc). For example to issue an os_packages once per week on Windows hosts:

To learn more about how it works and see some examples, visit our technical documentation.