Today we are happy to announce support for one of our most requested features, that has been made possible by our implementation of advanced role-based access control (RBAC), Payloads.
Payloads are executables that can be delivered and executed through LimaCharlie's sensor (or agent). Payloads can be any executable. The main use case is to run something with specific functionality not available in the LimaCharlie offering. This feature can be used to run custom executables provided by another vendor to cleanup a machine, forensic utilities or firmware-related utilities, etc. The usefulness of this feature in a time-critical incident response cannot be understated. We encourage our users to use native functionality first as it comes with all the benefits of being tightly integrated into the platform, but if you need this powerful capability it is there.
In order to place tight controls over who can deploy and run payloads we have added specific permissions.
Payloads are managed with two permissions:
payload.ctrl: allows you to create and delete payloads.
payload.use: allows you to run a given payload.
Payloads are uploaded to the LimaCharlie platform and given a name. The task can then be used to run the payload with optional arguments.
The STDOUT and STDERR data will be returned in a related RECEIPT event, up to ~10 MB. If your payload generates more data, we recommend to pipe the data to a file on disk and use the log_get command to retrieve it.
A detailed explanation of how this new capability works can be found in the documentation here.
If you have any questions or want to request a new feature please do not hesitate to contact us.
And please remember, with great power comes great responsibility.