← Back to Blog

April 7th, 2021

Executing payloads via the LimaCharlie agent

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
Executing payloads via the LimaCharlie agent

The LimaCharlie agent can deploy and run any executable on the endpoint. This feature - and subject of this blog article - is useful in instances where you need to run your own tools or deploy an emergency patch script.

To demonstrate how to do this we are looking at how you can use the Disk Usage tool from Sysinternals on one of your Windows boxes.

  • Download the Sysinternals Disk Usage executable.

  • In LimaCharlie go to the Payloads section and create a new payload. Give the payload a name such as sysinternals-du64.exe then click the Create Payload button.

Image of Add Payload functionality in LimaCharlie webapp

  • Click the copy icon next to the message that says “To complete Payload’s creation and upload the Payload content, use the following signed URL”.

  • Using the command line paste the command and replace the ending part of the command with the name of the Disk Usage executable (e.g. du.exe).Refresh the Payloads page to confirm the payload was successfully uploaded.

Image of Sensor list on LimaCharlie webapp

  • Go to the Sensors page and click Live next to the Windows box that you want to run the command on.Go to the Console tab and in the Command area type: run --payload-name sysinternals-du64.exe --arguments "-accepteula -l 1".

  • The output is shown either on screen, or if it’s a lot of content you’ll see an option to download the output.

Beyond executing payloads, the LimaCharlie agent acts as the foundation for a whole suite of functionality. The primary function of the agent is to serve as a sensor on an endpoint. This sensor monitors events and sends telemetry back to the LimaCharlie Cloud where it is run through the Detection & Response (DR) engine. If during this monitoring process a detection is triggered then a response action is employed.

The agent mitigates using response actions that are sent from the DR engine and can do things like:

  • Isolate the host from the network

  • Send an alert to the incident response team

  • Start capturing PCAPS from the network

  • Pretty much anything you can think to do with a computer.

The agent also serves as a live portal into the endpoint. Analysts can easily query the endpoint in real-time through the web application or API. The agent can be tasked with a wide array of sensor commands. Analysts can examine network connections, processes, navigate the file system, check file hashes, examine memory maps, view modules and much more.

Hopefully this example has given you an idea of how powerful the LimaCharlie agent is as a platform for multiple applications in the practice of information security.

If you have any questions, comments or suggestions please do not hesitate to reach out. We love talking with customers about their pain points and figuring out ways to make the product better. Happy hunting!

Copyright © LimaCharlie 2024