← Back to Blog

January 5th, 2024

Developer Roll Up: December 2023

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
blog post header image

Time keeps on ticking into the future. Here we are at the beginning of 2024 with a quick look back on what our team accomplished in the last month of 2023.

Upcoming Webinars

Detecting Malicious Activity in AWS When: January 17 @ 10:00am PT

AWS is a prime target for adversaries, with objectives ranging from credential harvesting to ransomware. However, managing detection rules can be a cumbersome task, especially as security analysts try to keep up with the ever-changing landscape of telemetry options from AWS.

On January 17, we introduce a new curated and managed set of detections from Soteria enabling expert-defined detections fine-tuned for AWS environments. These pre-configured detection rules are enabled directly from LimaCharlie's SecOps Cloud Platform providing immediate threat visibility and improving your cloud security operations.

Join Matt Bromiley from LimaCharlie and Paul Ihme from Soteria as they review the new AWS Detection Rules, and how they can help you secure your AWS environment.

https://limacharlie.wistia.com/live/events/100i8l5a52

Defender Fridays When: Every Friday @ 10:30am PT

Join us every Friday as we delve into the dynamic world of information security, exploring its defensive side with seasoned professionals from across the industry. Our aim is simple yet ambitious: to foster a collaborative space where ideas flow freely, experiences are shared, and knowledge expands. In January, we’ll be joined by Paul Ihme, Olaf Hartong, and Jeff McJunkin as special guests.

Register now

Announcing New YARA Extension

The LimaCharlie team has released a new Yara extension.

The new YARA extension offers a better user experience and new capabilities not previously available with the legacy YARA service. One of these capabilities is the ext-yara sensor which offers users the ability to closely monitor the work of the YARA extension.

To get started with migrating the existing tenant to the new YARA extension, navigate to the YARA service page on the add-on marketplace, select an organization, and follow the steps on the screen. You can also do it from the YARA Service page within your tenant. If you are creating a new organization, you can subscribe to the new extension right away, without having to first enable the legacy Service.

When the new YARA extension is enabled in your tenant, you will see the YARA Scanners tab under Automation. YARA Scanners rely on YARA Rules, records stored in config Hive that can be leveraged by other extensions to automate YARA scanning.

New "Detections" tab under Sensors

LimaCharlie users can now quickly see detections generated by individual sensors from the sensor view. To do it, navigate to the new "Detections" tab under sensor details.

Similar to how it currently works in the Timeline View, users can pick a single date to center the search around or select a date range.

EDR Sensor v4.28.5

The new version of the EDR sensor fixes a possible race condition with the execution of Payloads that could result in an error 259 (payload still executing) even when the Payload executed and terminated successfully. We observed this in some cases of Velociraptor execution.

The "stable" version of the sensor was also bumped up to 4.28.3.

Exposing more LC Sensor capabilities in the web app

In this release, we are adding a list of new tabs to LimaCharlie sensors:

  • Event Collection tab provides a list of events collected from a Sensor, along with exfil (event collection) rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensors

  • Integrity Monitoring tab provides a list of file & integrity monitoring rules that apply to the Sensor. Works on: Windows, Linux, and macOS sensors

  • Services tab lists all services (Windows, launchctl on MacOS and initd on Linux). Command: os_services Works on: Windows, Linux, and macOS sensors

  • Drivers tab lists all drivers on Windows (command: os_drivers ). Works on: Windows sensors

  • Packages tab provides a list of installed software packages (command: os_packages ). Works on: Windows and macOS sensors

  • Users tab provides a list of system users (command: os_users ). Works on: Windows sensors

  • Autoruns tab lists pieces of code executing at startup, similar to SysInternals autoruns (command: os_autoruns ). Works on: Windows and macOS sensors

Sensor pages on the sidebar are now listed in alphabetical order.

Announcing OTX Extension

In this release, we are announcing the addition of the new OTX extension. This extension enables users to continuously import all their OTX pulses and the relevant D&R rules for most indicator types.

To get started, subscribe your tenant to the OTX extension, or follow the steps shown on the OTX Service page to migrate the configuration from the legacy OTX Service.

Ability to invite new users to create LimaCharlie accounts

We have added the ability to invite new users to create LimaCharlie accounts. When an org admin adds users to their organization, if no user with the email address provided exists, they will be sent an email invite to create a LimaCharlie account.

The new user won't automatically be added to the organization. After creating their LimaCharlie account, they will have to reach out to the person who invited them to complete the process. We have it on our roadmap to further improve this part of the experience.

Copyright © LimaCharlie 2024