Building A Community


The best defence that information security professionals have against bad actors is collaboration. The sharing of information around new threats and implementing best practices is the preeminent way to ensure a strong security fabric across cyber space.

LimaCharlie encourages the spirit of information sharing through our User Add-on capability. Any user of LimaCharlie can create their own private Add-ons or choose to make them public and share them with the wider community.

An Add-on can be a detection, a threat feed, DNS lookup, white list, black list, Levenshtein String Distance, check for a known APT or anything in between. It is a powerful entry point into the LimaCharlie endpoint detection and response platform.

Most recently @LoveKebabble from the very capable team at Soteria released two different threat feeds for public consumption on the LimaCharlie platform. Details around these Add-ons are as follows.


This feed scrapes the @ScumBots twitter feed provided by @pmelson and collects the sha256 hashes. It is common for threat actors to host their malicious code on paste sites so that it can then be pulled down and executed with CLI tools such as powershell. Should this lookup trigger an alert, you can reference either @ScumBots or to get more context around the alert itself, such as the C2 channels used and a link to the pastebin with the exact code executed on your organization's system.


Content of the add-on: C&C IP's, DOMAINS, HASHES. Description: ‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.


LimaCharlie currently offers a multitude of detections and lookups for free, along with providing our users the ability to make as many more as they like. To learn how to create your own User Add-ons you can visit the documentation here.

LimaCharie also has a vibrant Slack community that you can join. The Slack channel is a great place to ask questions, collaborate with other community members and provide feedback to the team behind the product. There is almost always somebody from the LimaCharlie team online and we love to talk endpoint detection and response.


Threat Hunting Across Historical Telemetry


Recently we announced a new capability that allows MSSPs to perform retroactive hunting on up to a year’s worth of telemetry data. This ability to retroactively apply Detection & Response (D&R) rules to the LimaCharlie telemetry is very powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.

Previously only available through the API, we are now offering this capability through our Replicant platform. Replicants can be thought of as digital automatons: expert driven algorithms which perform tasks normally carried out by humans. Each Replicant has a particular specialization and can be enabled at the click of a button.


The Replay Replicant allows an analyst to select a date range and search an endpoint’s history, or scan across the history of the entire fleet, for indicators of compromise (IOC). Almost any detection that can be written can be applied retroactively against historical telemetry.

Imagine waking up one morning with the details being reported of a new threat actor targeting your industry. You have details on how this new threat can be detected, but how do you know if you have seen it inside your network during the last year? Using LimaCharlie’s Replay Replicant you can retroactively scan all of the historical telemetry across your entire fleet in just a few minutes with a couple of clicks.

The user interface for the Replay Replicant is simple. It requires that a user select a date range for the scan, D&R rule to use and finally an endpoint or set of endpoints to scan. Once this data has been provided the user initiates the process and the results are displayed in an incident card.


And that in a nutshell is the new Replay Replicant. You can read the doc for the Replay API here.

We are pretty excited about the direction we are taking with the Replicant platform and see it as an important building block in our quest to build the world’s best system of information security infrastructure on demand.

If you have any questions or ideas for new features we would love to talk. You can get a hold of us on Twitter, join our community slack group or contact us directly.

Happy hunting!


Running Detections Against Historical Data


LimaCharlie is launching Replay: a powerful new capability that allows organizations to perform retroactive hunting or build Continuous Delivery (CD) / Continuous Integration (CI) into their detection systems.

At its heart , Replay allows you to retroactively apply Detection & Response (D&R) rules to LimaCharlie traffic from any point in time during the last year or whenever the telemetry storage feature, Insight, was turned on.

This ability enables you to look for specific indicators of compromise (IOC) and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.

Replay is currently available through the LimaCharlie CLI and REST API with a web interface coming soon.

An example of how Replay can add value:

An attacker is found and it is believed that the common technique used is to drop executables in System32 which perform network connections outbound to port 443. These executables are not signed.

  op: and
    - op: is windows
    - op: is
      path: event/PROCESS/FILE_IS_SIGNED
      value: 0
    - op: contains
      path: event/PROCESS/FILE_PATH
      value: system32
      case sensitive: false
    - op: is
      value: 1
    - op: is
      value: 443
- action: report
  name: sys32-outbound-unsigned

And then to launch the query given as an example above you would run the following.

limacharlie-replay --entire-org --last-seconds 604800 --rule-content ./rule.yaml

Not only can Replay help LimaCharlie users search their historical telemetry for IOCs and build CD/CI into their detection pipelines, it also speeds up rule creation. New rules can immediately be directed against historical data to test their effectiveness.

The team at LimaCharlie is extremely excited about all the possibilities that this new functionality opens up. If you have any questions regarding Replay - or any other capability - please not hesitate to contact us.


Getting Started Guide


The majority of LimaCharllie users are mature MSSPs and SOCs. As we move forward and bring on more and more customers we have noticed a significant number are technically capable actors looking to expand into new areas of information security coverage for their respective organizations.

That is, we are seeing a lot of CTOs, heads of IT, etc, who are looking to create a better security  posture for their organization and who maybe do not have the budget to hire an MSSP. A lot of people we see trying the product are just curious as well: researchers, students, hackers and tinkerers.

Education is one of our core tenants and to this end we have created a new Getting Started document that outlines setting up a new account with some basic coverage that touches a few main areas. You can download that document here: Getting Started with LimaCharlie

And a reminder that we do offer a free online course that can be accessed at

Getting Started


Dark Theme & White Labelling


At its core LimaCharlie is a Security Platform as a Service (SPaaS). You can think of it as the Amazon Web Services of endpoint security. Scalable, on demand security infrastructure that is designed to bolster the capability of MSSPs and SOCs.


The team at LimaCharlie recently refactored our web application to use a templating system in order to create a dark theme for analysts. Our team knows what it is like to work at a computer for long periods of time and we find that dark themes are the easiest on the eyes. Additional motivation for this work was to improve our ability to do deep white labelling for customers that want to integrate the web application into external facing aspects of their pipeline.


For customers operating at a certain scale, LimaCharlie now offers white label versions of the web application that are completely branded. Every colour, logo, doc link and URL can be customized with a single configuration file. This was a big project and will be ongoing with localization next on the docket.


If you are interested in white labeling - or have any questions about how the LimaCharlie SPaaS bolster your capability - please contact us.


Universal Search


One of the challenges faced by the team at LimaCharlie is figuring out how to expose the breadth and capability of our technology through the web application. There are many different factors that contribute to the design decisions we make but one of our guiding principles is that we want analysts to be able to get the information they need as quickly and easily as possible.

To this end, we have introduced a universal search bar into the dashboard of the web application. This single search interface serves as a good starting point for the vast majority of data inquiries.

Search Bar

From this interface users can search using a sensor ID, hostname prefix, IP address, hash, file path and more.

Searching for an IP, file path, hash or user name will bring back stats around the prevalence of the given datapoint. The prevalence is represented by three numbers indicating how many times the data point was seen on the given organization’s hosts over the last day, last week and last month. This data can provide a strong clue about whether or not something has just showed up to the party.

IP Address Search Results

Searching for a sensor ID or hostname prefix will bring back links that lead directly into the live console or historical data explorer for the given sensor. These search results act a shortcut into full access of the endpoint and all of its historical telemetry.

Agent Search Results

It is still early days for this search feature but we are very happy with its performance and the type of agility that it enables. We are always interested in user feedback so if you have any suggestions on how we can improve this, or any feature, please get in touch.

Happy Hunting!




Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence to perform tasks that would normally be completed by humans.

Each replicant has a particular specialization and can be enabled at the click of a button in the Add-ons section. Once enabled any given replicant can be configured by interacting with it in the War Room section of the web application.


YARA Replicant

The YARA Replicant is designed to help you with all aspects of YARA scanning. It takes what is normally a piecewise process, provides a framework and automates scanning.

YARA signatures can be run by the Replicant on demand for a particular endpoint or run continuously in the background across the entire fleet.

There are three main sections to the YARA Replicant, as follows.


This is where the source for the YARA signatures to be used by the Replicant is defined. Source URLs can be a direct link to a single YARA rule (.yar file) or a link to a folder containing a collection of signatures in multiple files.

In order to use the signatures for Email and General Phishing Exploits that exist in this Github repo we would link the following URL, which is basically just a folder full of .yar files.

Another example would be to link the very popular YARA signatures provided by Florian Roth.



Rules define YARA Replicant actions that run in the background across your entire fleet. The following information defines which subset of sensors should be scanned with which YARA signatures on an ongoing basis.

To create a rule you give it a name, choose which platforms you want to investigate and then select the combination of tags that need to be present for a given endpoint to be scanned. To complete the process you select the source of the YARA signatures (as given in the previous section) and click save.



The scan section allows you to select an endpoint and which YARA signatures that you want to run against it. Starting immediately after you click the scan button the YARA Replicant will start generating a report.


Responder Replicant

The Responder Replicant performs an in-depth sweep through the state of a given host. The sweep will highlight parts of the activity that are suspicious. This provides you with a good starting position when beginning an investigation and allows you to focus on the important things right away.

The information that is returned by the sweep is continually evolving but you can expect it to return the following:

  • A full list of processes and modules

  • A list of unsigned binary code running in processes

  • Network connections with a list of processes listening and active on the network

  • Hidden modules

  • A list of recently modified files

  • Unique or rare indicators of compromise


Integrity Replicant

The Integrity Replicant helps manage all aspects of File and Registry integrity monitoring.

Rules define which file path patterns and registry patterns should be monitored for changes on specific sets of hosts. To create a rule you give it a name, select which platforms you want to investigate and then select the combination of tags that needs to be present for a given endpoint to be scanned.

Patterns are file or registry patterns, supporting wildcards (*, ?, +). Windows directory separators (backslash, "\") must be escaped like "\\".


The team at LimaCharlie is going to continue adding more capability through this Replicant model. If you have any questions - or suggestions for upcoming Replicants - we would love to hear from you.


Managing Multiple Organizations


LimaCharlie is multi-tenant because it is designed for managed security service providers (MSSP). This means that you can have as many organizations as you want under one account. Each organization is billed independently and can have any number of users with varying levels of ability assigned using the role-based access control system. White-labeling is available for MSSP's who are leveraging the private cloud option or operating at a certain volume.

In order to make onboarding new organizations as simple as possible LimaCharlie provides a method for setting up an organization using a config file. This 'Infrastructure as Code' approach mitigates human error and allows you to build a robust infrastructure (it will save you time and headaches). Information on how to manage configurations can be found in this blog article.

Most recently we have started to add multi-org functionality to our CLI. Now from the command line you can search for specific indicators of compromise across all of the organizations under your control. You can read more about this new multi-org CLI command here.

To stay up to date with our feature development you can follow LimaCharlie on Twitter or LinkedIn.