Threat Detection and Response Automation with LimaCharlie and Tines - MyDFIR
|Introduction
This project is focused on streamlining cybersecurity incident management by leveraging automated workflows to detect threats, alert analysts, and take remedial actions. By integrating LimaCharlie and Tines, the system can rapidly detect malware or suspicious activity on endpoints, trigger automatic alerts, and facilitate communication and decision-making for isolating compromised machines. This approach not only increases the speed of threat mitigation but also ensures that security teams can focus on more critical tasks, leaving repetitive, low-level responses to automation.
LimaCharlie is a modern cloud-based security platform that provides endpoint detection and response (EDR) as a service. It offers a robust and scalable environment for deploying, managing, and analyzing security sensors on endpoints. With LimaCharlie, security teams can detect threats, gather forensic data, and automate responses based on real-time data from their infrastructure. LimaCharlie allows you to customize detection and response strategies, while offering integrations with multiple tools to enable automated workflows, such as the one in this project.
Tines is a powerful no-code automation platform designed for security teams to automate manual and repetitive tasks involved in cybersecurity operations. By enabling users to create automated workflows, Tines can streamline incident response, alerting, and monitoring processes. In this project, Tines is used to orchestrate the response once a threat is detected by LimaCharlie, providing actionable prompts to the security team, and if necessary, automating machine isolation and sending alerts through various channels such as Slack and email.
|Project Specifications
My Specifications for this project are as follows:
- 1 Windows 10 (4GB RAM, 60GB Storage, 1 vCPU)
|Project Diagram
|1. Project Setup
I used Vmware Workstation Pro to create the Windows 10 virtual machine for this project. Furthermore, I also created accounts on LimaCharlie, Tines and Slack.
|1.1. LimaCharlie
So first I created an account on LimaCharlie and created an organization named ByteBoltsec.
Then I proceeded to add a new sensor which would be my Windows 10 machine named target-pc.alpha.local.
|Installing sensor on windows machine
I downloaded the Windows 64 bit sensor from https://downloads.limacharlie.io/sensor/windows/64 and copied the installation key from LimaCharlie > Sensors > Installation Keys.
Afterwards, I opened up powershell on Windows machine and ran the executable alongside installation key.
.\hcp_win_x64_release_4.29.4.exe -i <<Installation-Key>>
Upon refreshing the Sensors List page, the sensor was successfully added.
|1.2. Windows 10
|Generating Telemetry with LaZagne
After installing the sensor, it was time to test it by downloading and running LaZagne which is an open source project that allows you to retrieve lots of passwords stored on a local computer. Downloaded LaZagne from https://github.com/AlessandroZ/LaZagne.
Then I ran the executable and it started extracting passwords:
.\LaZagne.exe
|Viewing Alerts in LimaCharlie
After executing LaZagne.exe, the generated alerts can be seen in the Timeline section.
|2. Detection & Response Rule Creation
To create a detection automation rule, I navigated to Automation > D&R Rules. Since it was my first time building a rule in LimaCharlie,
I decided to use an already existing rule which provided detection for credential attacks. For this, I searched 'Credential' in the search bar
and found the most relevant rule. The rule selected was as follows:
windows_process_creation/proc_creation_win_netsh_wifi_credential_harvesting
Copied this rule yml file for my own custom rule creation.
|2.1. Creating Custom Rule
This was the rule that I created.
events:
- NEW_PROCESS
- EXISTING_PROCESS
op: and
rules:
- op: is windows
- op: or
rules:
- case sensitive: false
op: ends with
path: event/FILE_PATH
value: \LaZagne.exe
- case sensitive: false
op: ends with
path: event/COMMAND_LINE
value: all
- case sensitive: false
op: contains
path: event/COMMAND_LINE
value: lazagne
- case sensitive: false
op: is
path: event/HASH
value: 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486
- action: report
metadata:
author: Alpha
description: Detects LaZagne (SOAR-EDR Tool)
falsepositives:
- Unlikely
level: medium
tags:
- attack.credential_access
name: Alpha - HackTool - LaZagne (SOAR-EDR)
|Testing the newly created rule
Paste in the event to test the rule:
Clicking on the Test Event button showed that the rule was correctly identifying events.
|2.3. Generating detections
Generated detections again by running command:
.\LaZagne.exe all
|3. Slack
I already had an account for Slack. So all I needed to do was to create a new workspace named Alpha-SOAR-EDR
and then created a channel in it named 'alerts'.
|4. Tines
I created an account for Tines and started a new story. Stories are a collection of interconnected actions working towards a singular mission that can be automated. They can be viewed as analogous to use-cases or playbooks. For example, you might have a phishing story, an offboarding story, or an incident response story.
|4.1. Tines integration with LimaCharlie
For integration between Tines and LimaCharlie, I navigated to LimaCharlie > Outputs > Add Output > Choose Output Stream (Detections) > Choose Output Destination (Tines) > Configure Output of Detections + Tines (Name + Destination Host). Pasted the webhook url in the Destination Host and Voila! the configuration was saved successfully.
|4.2. Tines integration with Slack
Similarly, I integrated Tines with Slack by navigating towards Slack Workspace > More > Automations > Apps (Search for Tines) > Add to Slack.
|5. Tines story
To create a SOAR-EDR story, I first needed to connect to Slack and LimaCharlie which I already did so all I needed to do was to generate detections by running LaZagne on my Windows machine.
|5.1. Webhook - Retrieve Detections
First, the detections will be routed to the webhook, which will then retrieve them as-is. The following fields were selected to be forwarded.
Title: <<retrieve_detections.body.cat>>
Time: <<retrieve_detections.body.detect.routing.event_time>>
Computer: <<retrieve_detections.body.routing.hostname>>
Source IP: <<retrieve_detections.body.detect.routing.int_ip>>
Username: <<retrieve_detections.body.detect.event.USER_NAME>>
File Path: <<retrieve_detections.body.detect.event.FILE_PATH>>
Command Line: <<retrieve_detections.body.detect.event.COMMAND_LINE>>
Sensor ID: <<retrieve_detections.body.detect.routing.sid>>
Detection Link: <<retrieve_detections.body.link>>
|5.2. Slack - Send a message
After the retrieval, the detection will then be forwarded to Slack alerts channel. Here is the detection message that was received:
|5.3. Send Email - Send Email Action
I created a temporary email using SquareX and the detection email was successful received in the mail.
|5.4. User Prompt
A prompt opens up asking if you want to isolate machine or not.
Selecting 'Yes' sent an HTTP request to LimaCharlie (using its API) and Selecting 'No' just sent a Slack message.
|5.5. Trigger Yes
If 'Yes' is selected then the user_prompt.body.isolate would equal to true.
|5.6. HTTP Request - Isolate Sensor
An HTTP Request is sent to LimaCharlie to isolate the sensor.
|5.7. HTTP Request - Get Isolation Status
Another HTTP Request is sent to LimaCharlie for getting isolation status. This status was then added to the Slack message.
|5.8. Slack - Send a message
A Slack message with the isolation status is sent.
|5.9. Trigger No
If 'No' is selected then the user_prompt.body.isolate would equal to false.
|5.10. Slack - Send a message
A Slack message clearly stating, "The computer: target-pc.alpha.local was not isolated' is sent.
|Sensor - Before vs After Isolation
The sensor is connected to the internet before the Isolation request is sent.
After the request is sent, sensor is disconnected from the internet.
|Conclusion
In this SOAR-EDR project, successful automation of the detection, alerting, and response processes by integrating key components such as webhooks, Slack, email notifications, and HTTP requests for sensor isolation was achieved. This workflow demonstrates the power of integrating SOAR capabilities with EDR, ensuring efficient incident management, real-time collaboration, and swift remediation actions, ultimately enhancing the overall cybersecurity posture.