Whether you call it a Spot Check, or a Fleet Check, or any other name, we all have this time where something comes along and we need to check across our organization to determine if an IOC is present.
This sometimes comes in as a tip from a law enforcement agency, sometimes it's a report from a vendor selling threat intelligence and sometimes it's just IOCs extracted from a piece of malware during an incident.
Regardless of how it comes in, we all want a good solution for this. That's how we got to the new SpotCheck feature present in the LimaCharlie Python CLI/API.
We've spent a lot of time trying to boil down this feature to its core. It needed to be simple to use, to the point and easy to automate. This is what it looks like:
python -m limacharlie.SpotCheck --tags finance_dept --file c:\\evil.exe --file c:\\windows\\system32\\payload.dat --registry-key hklm\\software\\secret_storage --yara ./apt_43.yara
This is an example command line: you specify which hosts to check (by platform or by tag), then you specify a list of IOCs (as many as you want) to check. Press enter, the tool starts running and outputs line-based records of which agents have been checked, which have had errors and more importantly which IOCs were found.
Of course this is just the beginning, but this is the list of current IOC checks you can do:
- File/directory recursively using name patterns.
- File hashes recursively using name patterns.
- Registry keys/value (Windows).
- Yara system-wide scans (memory and files).
- Yara files scan recursively using name patterns.
- Yara process memory and files by process name pattern.
All of these are done via the public LimaCharlie API, so if you want to customize it for your purposes by having a look at the code for the Python API.
Over time this list will grow and we may use this as a basis for similar functionality through the web interface.