Asset Management in LimaCharlie


Although LimaCharlie was not meant specifically for Asset Management it is a great platform for acquiring ground truth information about assets. This information can be extremely valuable when evaluating whether a new vulnerability in a piece of software affects you, or knowing which assets a specific user accessed.

Available information includes:

Host name
Ex: database-server-1
From: contained in all events

OS Version
Ex: Windows 7 64bit
From: os_version command

Patch Level
Ex: Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition)
From: os_packages command

Installed Packages
Ex: Microsoft SQL Server 2008 R2 Management Objects (x64) @ 10.50.1750.9
From: os_packages command

Ex: stevejobs @ database-server-1
From: USER_OBSERVED events


LimaCharlie can be thought of as the "primary colors" of security which can be combined and utilized in a limitless number of ways to solve specific organizational challenges. Here are some possible scenarios:

Weekly Software Inventory
A weekly cron job can be run that uses the LimaCharlie Python API to gather a list of the installed packages and versions using the os_packages command (this script as a starting point). The results get stored in a small database. Using this approach anyone in the organization can query the database for vulnerable versions of software, event licensing auditing or any other of a number of scenarios.

Incident Response with Compromised User
At some point during an Incident Response, responders can become aware that the credentials of a specific user are compromised. the likely approach is to reset the credentials of the user, but using LimaCharlie we can also:

  • know if the user logs into any other assets in case the credentials are still valid somewhere, and

  • isolate any asset the user credentials were used to log into. This is easy and can be done in about 30 seconds and is effective immediately across your organization using D&R rules:

    • Detection (if user is observed and the agent is not tagged):

op: and
- op: is
path: event/USER_NAME
value: company\alice
- op: is tagged
tag: compromised-isolated
not: true

Response (isolate the computer on the network, tag the agent and alert):
- action: task
command: segregate_network
- action: add tag
tag: compromised-isolated
- action: report
name: compromised-credentials-observed

All of this is just scratching the surface of what you can do with LimaCharlie using Asset Management information. Have an idea? Want help to figure out the best way to get going? Drop us a line, we'll be happy to help.

Happy hunting!