Putting it Together

The LimaCharlie web application makes detection and response rules available for creation and editing in the YAML format as outlined in the following example. 

Detect:

op: ends with event: NEW_PROCESS path: event/FILE_PATH value: .scr

Respond:

- action: report name: susp_screensaver - action: add tag tag: uses_screensaver ttl: 80000

WanaCry

Simple WanaCry detection and mitigation rule:

Detect

{ "op": "ends with", "event": "NEW_PROCESS", "path": "event/FILE_PATH", "value": "@wanadecryptor@.exe", "case sensitive": false }

Respond

[ { "action": "report", "name": "wanacry" }, { "action": "task", "command": "history_dump" }, { "action": "task", "command": [ "deny_tree", "<<routing/this>>" ] } ]

Classify Users

Tag any sensor where the CEO logs in with "vip".

Detect

{ "op": "is", "event": "USER_OBSERVED", "path": "event/USER_NAME", "value": "stevejobs", "case sensitive": false }

Respond

[ { "action": "add tag", "tag": "vip" } ]

Suspicious Windows Executable Names

{ "op": "matches", "path": "event/FILE_PATH", "case sensitive": false, "re": ".*((\\.txt)|(\\.doc.?)|(\\.ppt.?)|(\\.xls.?)|(\\.zip)|(\\.rar)|(\\.rtf)|(\\.jpg)|(\\.gif)|(\\.pdf)|(\\.wmi)|(\\.avi)|( {5}.*))\\.exe" }

Disable an Event at the Source

Turn off the sending of a specific event to the cloud. Useful to limit some verbose data sources when not needed.

Detection

op: is windows event: CONNECTED

Respond

- action: task command: exfil_del NEW_DOCUMENT