The best defence that information security professionals have against bad actors is collaboration. The sharing of information around new threats and implementing best practices is the preeminent way to ensure a strong security fabric across cyber space.
LimaCharlie encourages the spirit of information sharing through our User Add-on capability. Any user of LimaCharlie can create their own private Add-ons or choose to make them public and share them with the wider community.
An Add-on can be a detection, a threat feed, DNS lookup, white list, black list, Levenshtein String Distance, check for a known APT or anything in between. It is a powerful entry point into the LimaCharlie endpoint detection and response platform.
This feed scrapes the @ScumBots twitter feed provided by @pmelson and collects the sha256 hashes. It is common for threat actors to host their malicious code on paste sites so that it can then be pulled down and executed with CLI tools such as powershell. Should this lookup trigger an alert, you can reference either @ScumBots or https://github.com/david-burkett/ScumBots-DataFeed to get more context around the alert itself, such as the C2 channels used and a link to the pastebin with the exact code executed on your organization's system.
Content of the add-on: C&C IP's, DOMAINS, HASHES. Description: ‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.
LimaCharlie currently offers a multitude of detections and lookups for free, along with providing our users the ability to make as many more as they like. To learn how to create your own User Add-ons you can visit the documentation here.
LimaCharie also has a vibrant Slack community that you can join. The Slack channel is a great place to ask questions, collaborate with other community members and provide feedback to the team behind the product. There is almost always somebody from the LimaCharlie team online and we love to talk endpoint detection and response.