Fast and Scalable DFIR with LimaCharlie

Incident response is a discipline defined by what you do not have. You arrive after the explosion, not before it. Eric Capuano, who runs DFIR work on the LimaCharlie team and teaches the subject, opened this session by naming the constraint plainly: a firm parachutes into a breached environment with almost nothing to go on. Maybe some log aggregation, usually not even that. No scene to query, little tooling in place, no preserved record of what came before. The clock is already running and the adversary may still be inside. Everything that follows is best read as an answer to a single question. If time and cold-start blindness are the enemy, how do you buy back both at once?

Deployment economics are an incident response capability, not a billing detail

The first thing Capuano showed was not a detection. It was a sensor and a price model, and the choice was deliberate. LimaCharlie ships its own cross-platform EDR covering Windows, macOS, Linux, and Chrome and chromium-based browsers, with no third-party agent to license and no multi-year contract. Consumption works like a cloud provider such as AWS or GCP. You can spin up 5,000 agents for a single day and scale them back down, paying only for that day. For an IR firm whose engagements are exactly that shape, a burst of dozens or hundreds of sensors for a few days, the billing finally follows the work instead of fighting it.

The sharper version of the same idea is the sleeper agent, and it targets the most expensive interval in the entire engagement: the gap between the phone call and the first byte of telemetry. Capuano was blunt that this stretch routinely costs hours, often days, while a firm hands its agent to a customer's IT team and waits on a mass deployment the customer may not know how to do quickly. The fix is to pre-deploy on retainer clients and put the sensors to sleep with a tag. They stay connected to the platform but ship nothing and burn no resources, sitting dormant inside the network in peacetime. When the call comes, you wake them, and telemetry flows immediately. The deployment problem has already been solved before the incident exists.

Borrow detection so the analyst can spend time hunting

Once a sensor checks in, the platform gives an investigator the fast triage moves they already know to make. Autoruns for persistence, a built-in lookup of known-vulnerable drivers to catch bring-your-own-vulnerable-driver activity at the kernel, network connections, running processes with a green check mark that exonerates digitally signed binaries at a glance. In the live environment, that last cue did real work. A scan of the process list surfaced an unsigned svchost.exe running out of a Windows temp directory with command-line arguments that did not match the predictable shape of a legitimate svchost. The timeline then fused EDR events with native Windows Event Log collection, and a run of 4625 failed logons exposed brute-force attempts against an internet-facing RDP service.

The deeper point Capuano kept pressing is that in a time-boxed engagement you should not be writing detections at all. He deployed the organization with a blank rule set on purpose, then turned on the Soteria premium rule set from the add-ons marketplace. His reasoning was about signal, not features. Sigma is comprehensive but false-positive heavy. Soteria, maintained by an east coast MDR provider, is tuned tightly enough that an alert from it is almost always worth chasing. At roughly fifty cents per sensor for a few days, the cost of instant production-grade coverage is trivial against what it buys. Minutes after enabling it, the rules flagged rundll32 reaching out to a public IP with no DLL path in its arguments, privileged discovery commands, and shell execution, all consistent with one active intrusion. A background YARA scanner running at minimal CPU, entirely in memory and dropping nothing to disk, then returned a Cobalt Strike hit on the same host. Borrowed detection did the finding. The analyst's scarce time went to the investigation.

Detection that cannot act is incomplete when the adversary is still inside

The Soteria rules found adversaries, but as Capuano noted, none of them take action. In a production environment that restraint is correct. In an active incident, where a threat actor may be one host away from detonating ransomware, it is a liability. So he showed detection and response rules that intervene. A rule watching for vssadmin deleting volume shadow copies, the near-universal precursor to ransomware, terminates the entire offending process tree, parent and descendants, then isolates the host so it keeps command and control to LimaCharlie but can no longer touch anything else. It also pulls a two-hour history dump so the look-back context survives the containment. He was careful to frame these as emergency-grade rules, too aggressive for everyday production, exactly right for the few days you own an incident.

That same scoping discipline ran through the rest of the investigation, and it produced the session's most instructive moment. An IOC search on the suspected C2 IP showed it had appeared only in the past day, marking it as fresh, and pinned patient zero by timestamp, which led to a DNS request and a memorable C2 domain, pork chop sandwich dot net. But a query console aggregation, grouping and counting the adversary's defender-enumeration command across the fleet, found it on four systems when direct C2 had touched only two. The lesson Capuano drew is that a foothold does not require its own C2 channel, since an actor can daisy-chain through a network, so you keep scoping until the data stops surprising you.

The final move closes the gap that started the session, the part of the breach that happened before anyone arrived. Through the native Velociraptor integration, he ran artifacts fleet-wide, sent hunt output to Google BigQuery for rare-process stacking, and pulled targeted triage acquisitions of high-value forensic artifacts rather than wasteful full disk images. A proof of concept from Whitney Champion on the team routes those acquisitions into Plaso and Timesketch for automated timeline generation. Read against the opening constraint, the whole arc is one argument. The firm that owns deployment, borrows tuned detection, automates containment, and pipes historical evidence into automated timelining has converted the two things IR never has, time and prior visibility, into things it can manufacture on demand. For an MSSP or MDR running this across many clients, that is what makes the work repeatable instead of heroic.