Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence to perform tasks that would normally be completed by humans.
Each replicant has a particular specialization and can be enabled at the click of a button in the Add-ons section. Once enabled any given replicant can be configured by interacting with it in the War Room section of the web application.
The YARA Replicant is designed to help you with all aspects of YARA scanning. It takes what is normally a piecewise process, provides a framework and automates scanning.
YARA signatures can be run by the Replicant on demand for a particular endpoint or run continuously in the background across the entire fleet.
There are three main sections to the YARA Replicant, as follows.
This is where the source for the YARA signatures to be used by the Replicant is defined. Source URLs can be a direct link to a single YARA rule (.yar file) or a link to a folder containing a collection of signatures in multiple files.
In order to use the signatures for Email and General Phishing Exploits that exist in this Github repo we would link the following URL, which is basically just a folder full of .yar files.
Another example would be to link the very popular YARA signatures provided by Florian Roth.
Rules define YARA Replicant actions that run in the background across your entire fleet. The following information defines which subset of sensors should be scanned with which YARA signatures on an ongoing basis.
To create a rule you give it a name, choose which platforms you want to investigate and then select the combination of tags that need to be present for a given endpoint to be scanned. To complete the process you select the source of the YARA signatures (as given in the previous section) and click save.
The scan section allows you to select an endpoint and which YARA signatures that you want to run against it. Starting immediately after you click the scan button the YARA Replicant will start generating a report.
The Responder Replicant performs an in-depth sweep through the state of a given host. The sweep will highlight parts of the activity that are suspicious. This provides you with a good starting position when beginning an investigation and allows you to focus on the important things right away.
The information that is returned by the sweep is continually evolving but you can expect it to return the following:
A full list of processes and modules
A list of unsigned binary code running in processes
Network connections with a list of processes listening and active on the network
A list of recently modified files
Unique or rare indicators of compromise
The Integrity Replicant helps manage all aspects of File and Registry integrity monitoring.
Rules define which file path patterns and registry patterns should be monitored for changes on specific sets of hosts. To create a rule you give it a name, select which platforms you want to investigate and then select the combination of tags that needs to be present for a given endpoint to be scanned.
Patterns are file or registry patterns, supporting wildcards (*, ?, +). Windows directory separators (backslash, "\") must be escaped like "\\".
The team at LimaCharlie is going to continue adding more capability through this Replicant model. If you have any questions - or suggestions for upcoming Replicants - we would love to hear from you.