Skip to content
/ lc_capabilities Public
forked from backwash100/lc_capabilities

A repo dedicated to host LimaCharlie Detections and Hunters for community use.

License

Apache-2.0 license
0 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

duzvik/lc_capabilities

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

hunter

hunter

 
 

stateful

stateful

 
 

stateless

stateless

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

patrol_all.py

patrol_all.py

 
 

patrol_from_sensor.py

patrol_from_sensor.py

 
 

patrol_osx.py

patrol_osx.py

 
 

patrol_test.py

patrol_test.py

 
 

patrol_win.py

patrol_win.py

 
 

Repository files navigation

LimaCharlie Core Detection Capabilities

These detections and hunters are designed to be used in conjunction with LimaCharlie.

How to Use

To load or unload capabilities see the LimaCharlie Wiki.

What to Load

Major Events From Sensor

As a basis, to generate detections from "major" events from the sensor, it is recommended to run the patrol_from_sensor.py patrol. It only loads capabilities that highlight major events like process hollowing, hidden modules and Yara signature hits.

Other Events

If you only run OSX, or Windows, you can run the patrol_win or patrol_osx patrols to only activate detections for these platforms.

If your environment is a mix of all platforms, run the patrol_all to activate everything.

The patrol_test is only used for tests for specific capabilities.

Fork This!

It's likely you have some ideas for detections or things that need to be custom to your environment. If that's the case just fork this repo.

About

A repo dedicated to host LimaCharlie Detections and Hunters for community use.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Python 100.0%