feat: add limacharlie edr scan

FourCoreLabs · Sep 20, 2022 · 66c637a · 66c637a
1 parent e06624e
commit 66c637a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/pkg/resources/scan_edr.go b/pkg/resources/scan_edr.go
@@ -30,4 +30,5 @@ var (
 	SophosEDR       EDRType = "sophos"
 	FortinetEDR     EDRType = "fortinet"
 	MalwareBytesEDR EDRType = "malwarebytes"
+	LimacharlieEDR  EDRType = "limacharlie"
 )
diff --git a/pkg/scanners/scan_limacharlie.go b/pkg/scanners/scan_limacharlie.go
@@ -0,0 +1,28 @@
+package scanners
+
+import "github.com/FourCoreLabs/EDRHunt/pkg/resources"
+
+type LimacharlieDetection struct{}
+
+func (w *LimacharlieDetection) Name() string {
+	return "Limacharlie EDR"
+}
+
+func (w *LimacharlieDetection) Type() resources.EDRType {
+	return resources.LimacharlieEDR
+}
+
+var LimacharlieHeuristic = []string{
+	"lc_sensor.exe",
+	"refractionPOINT HCP",
+	"LimaCharlie",
+}
+
+func (w *LimacharlieDetection) Detect(data resources.SystemData) (resources.EDRType, bool) {
+	_, ok := data.CountMatchesAll(LimacharlieHeuristic)
+	if !ok {
+		return "", false
+	}
+
+	return resources.DeepInstinctEDR, true
+}
diff --git a/pkg/scanners/scanner.go b/pkg/scanners/scanner.go
@@ -25,5 +25,6 @@ var (
 		&SophosDetection{},
 		&FortinetDetection{},
 		&MalwareBytesDetection{},
+		&LimacharlieDetection{},
 	}
 )