The Live View in LimaCharlie provides you with a great interface to perform incident response by enabling the execution of real-time investigation and mitigation commands on the hosts. As the product has developed we have built out a user friendly interface to the Live View that allows you to see with better context the current activity on the host. For example, by overlaying the file signing status as well as network activity against the process list you could see at a glance processes of higher interest.
Today we are taking another step in the direction of active investigation and introducing a new Sweep feature. We wanted to go beyond the static display of context and move into active investigation of anomalies. This new feature is designed to streamline investigation of a host that is suspected of being compromised.
Most security responders have a list of things they look for when investigating a host. It is often a manual process that relies on expert knowledge. The Sweep allows you to automate and standardize this process. The exact behaviour of the Sweep will continue to evolve over time but its mission is to highlight to an analyst the various bits of activity on the host that are suspicious.
At the moment of writing this blog article, clicking the Sweep button will perform the following logic:
Highlight all unsigned binaries running (processes, services, drivers, autoruns).
Highlight all the processes listening on the network or with active network connections.
Scan the memory of processes looking for hidden code modules and highlight them.
Highlight all code modules and autoruns that have been modified in the last week.
Combined with the ability LimaCharlie has to perform advanced operations in real-time like YARA signature scanning and memory operations, the Sweep functionality will continue to evolve providing responders a faster, repeatable process that junior analysts can also leverage.
Is there specific logic you would like included in a Sweep? Get in touch with us via our Slack community or say hello on Twitter @limacharlieio.