An ecosystem of powerful technologies

Velociraptor, the open-source endpoint visibility tool, provides the ability to effectively investigate a wide range of digital forensic use cases. It can be used to:

• Reconstruct attacker activities through digital forensic analysis
• Hunt for evidence of sophisticated adversaries
• Investigate malware outbreaks and other suspicious network activities
• Monitor continuously for suspicious user activities, such as files copied to USB devices
• Discover whether disclosure of confidential information occurred outside the network
• Gather endpoint data over time for use in threat hunting and future investigations

Velociraptor’s power and flexibility come from the Velociraptor Query Language (VQL). The VQL framework creates highly customized scripts, which can collect, query, and monitor any aspect of an endpoint, groups of endpoints, or an entire network. Custom VQL scripts are deployed as “Artifacts”. An artifact is a text file written in YAML which encapsulates the VQL, adds human-readable descriptions, and provides parameters allowing users to customize the operation of the artifact.

LimaCharlie makes Velociraptor available as a service that can easily be run on any given endpoint or across the entire fleet. This service will automate the deployment and running of Velociraptor Artifacts. It supports three actions:

• list to show all built-in Artifacts the latest release of Velociraptor supports
• show to display the usage of a specific built-in Artifact
• collect to trigger an actual collection of Artifacts Once generated by Velociraptor, a zip file with all collected data is ingested automatically into LimaCharlie where you can download it. The download from LimaCharlie can also be automated using an Output stream with detection triggers that are fired when it happens.

LimaCharlie automates management of YARA signature sets and their use in scanning.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression that determine its logic.

The YARA service is designed to help you with all aspects of YARA scanning. It takes what is normally a manual piecewise process, provides a framework, and automates it.

Once configured, YARA scans can be run on-demand for a particular endpoint or continuously in the background across your entire fleet without impacting performance.

The on-demand scan is what people generally mean when they say “Yara scanning” - it offers full control but it tends to spike up the memory use, and subsequently impact the performance. On the other hand, continuous scanning (trickle scanning) will have no noticeable impact on the user (target 1% CPU for the feature) but may take longer to complete.

To get started with Yara scanning, from the YARA Scanners view available within your organization, pull Yara rules/signatures from sources like GitHub repositories. Then, configure scanners to scan for matching signatures on sensors.

Endpoints as well as applications such as AWS, Google Cloud, Office 365, 1Password, Slack, and thousands of others produce vast amounts of data. The volume of security data is growing, and this growth will continue for the foreseeable future. This, in turn, leads to several challenges:

• To detect threats and respond to incidents, it is not sufficient to simply collect all these logs. You need to have the ability to bring them all into one place for correlation and a holistic view of your security posture.
• To meet the compliance requirements, organizations need to store security data for a set amount of time; a solid data storage strategy is also a prerequisite for retroactive threat hunting.
• Data storage is expensive which forces organizations and security teams to sacrifice visibility and trade it for cost reduction.

To solve these problems, LimaCharlie offers 1 year of full telemetry storage and search capability at no extra cost.

Insight is the underlying technology providing storage and search capability for LimaCharlie and is built on top of the Google Cloud Platform. With Insight, organizations can - at the click of a button - store and search a year’s worth of data from all of their sources.

Using the web-based interface, users can interact with individual endpoints in real-time or search and explore a year’s worth of data. Insight enables analysts to investigate security incidents as they occur or to look back in time to trace the origin of the breach.

LimaCharlie allows security professionals to hunt for threats retroactively by running Detection & Response (D&R) rules against historical traffic. When a new zero-day becomes known, this enables you to run a test for known indicators of compromise over the last year of endpoint telemetry to assess if you have been compromised.

When creating a new detection & response rule for your organization, you can instantly see how many times this rule would have been triggered which is invaluable for making D&R rules more precise and eliminating noise.

At scale, this capability provides some unique advantages for cybersecurity operations as it allows for a continuous integration / continuous development approach (CI/CD). When rules are modified through your change control process you can confirm that there are no unexpected results by running rules against known data. Think unit tests for detection logic. This moves us closer to the concept of ‘Detectors as Code’.

Running Detection & Response rules against historical traffic (Replay service) can be done in a few combinations of sources.

Rule sources:

• Existing rule in the organization, by name
• Rule in the replay request

Traffic sources:

• Sensor historical traffic
• Local events provided during the request

Running D&R rules against historical telemetry can be done via API, Python CLI, or in the web UI.

AWS, Google Cloud, Office 365, 1Password, Slack, and thousands of others applications produce vast amounts of data.

LimaCharlie enables you to ingest real-time external logs and telemetry from any source which enables several powerful capabilities:

• All logs & telemetry are stored with 1 year of retention, at no extra cost.
• You can create detection & response (D&R) rules that apply to this new telemetry just as you do with the data from endpoints. This allows you to detect threats, respond to incidents in real-time, and automate processes at scale.
• You can send this new telemetry to Outputs (any external destination) as you would do with any other LimaCharlie data.

Today, you can quickly get started with the following platforms:

• Google Cloud Platform audit logs
• Carbon Black sensor data
• 1Password event logs
• Syslog
• Text-based logs
• Logs in the JSON format
• Microsoft Office 365

The list of available sources will be continuously expanding. That being said, you're not limited to the formats we put forward. This functionality is powered by the LimaCharlie Adapter which allows you to specify with great precision how you want to parse and map any logs you want to bring in, without any involvement on our side.

We've open-sourced the underlying protocol allowing you to make your own sensors if you'd like.

Atomic Red Team is a library of automated tests mapped to the MITRE ATT&CK framework which allows security teams to quickly, portably, and reproducibly test their environments. It simulates 238 of the different attack techniques defined in the MITRE framework and is run as an open-source project for the benefit of everybody.

LimaCharlie has integrated the Atomic Red Team to reduce barriers to comprehensive, holistic protection which can only be accomplished by actively testing the organization’s detection & response coverage. Users can run any subset of the MITRE ATT&CK framework on any number of their endpoints with a few clicks of a button or in an automated rule-driven way designed to support continuous integration/development. It is a powerful way for teams to shorten their change control process, save time and defend better.

The easiest way to run Atomic Red Team with LimaCharlie is to by performing the following steps: install LimaCharlie sensor on the endpoints visit the sensor details in the web application and click the button labeled Atomic Red Team” in the modal that opens, select the tests you are interested in once the tests have finished running, the test outcome will be available on the web application’s main dashboard

Along with log & artifact Ingestion, LimaCharlie can ingest Window Event Logs (WEL). Windows event logs can be collected from real-time events (supported on Windows 2008 and up) or from files at rest.

Common use cases for Windows Event Log Monitoring with LimaCharlie are:

• replace any Windows Event Log forwarding solutions and infrastructure you’ve got in place
• store WEL alongside other telemetry data captured by the LimaCharlie agent for a full year at no extra cost
• kickstart the incident response by collecting WEL from disk and analyzing the historical data

Logs on Disk

Getting Windows Event Log (WEL) files from disk can be very helpful when first getting the LimaCharlie agent set up on an endpoint as it will bring in historical logs. These are brought in as a batch every few minutes.

Real-time Logs

You should also consider adding real-time WEL events to your artifact collection rules as these are considered to be first-class LimaCharlie telemetry and are ingested in real time. These real-time events are processed by the LimaCharlie D&R rules engine at wire speed so you can take action even faster.

One of the additional benefits of using real-time Windows Event Log collection is that these logs are stored alongside other telemetry data captured by the LimaCharlie agent for a full year.

You can collect both real-time Windows Event Logs as well as logs from disk on the same endpoint.