From 66c637aabea13079e22114b023d8f3b98610a750 Mon Sep 17 00:00:00 2001 From: Aarush Ahuja Date: Tue, 20 Sep 2022 14:18:06 +0530 Subject: [PATCH] feat: add limacharlie edr scan --- pkg/resources/scan_edr.go | 1 + pkg/scanners/scan_limacharlie.go | 28 ++++++++++++++++++++++++++++ pkg/scanners/scanner.go | 1 + 3 files changed, 30 insertions(+) create mode 100644 pkg/scanners/scan_limacharlie.go diff --git a/pkg/resources/scan_edr.go b/pkg/resources/scan_edr.go index 918c8fc..320a6f6 100644 --- a/pkg/resources/scan_edr.go +++ b/pkg/resources/scan_edr.go @@ -30,4 +30,5 @@ var ( SophosEDR EDRType = "sophos" FortinetEDR EDRType = "fortinet" MalwareBytesEDR EDRType = "malwarebytes" + LimacharlieEDR EDRType = "limacharlie" ) diff --git a/pkg/scanners/scan_limacharlie.go b/pkg/scanners/scan_limacharlie.go new file mode 100644 index 0000000..18650d4 --- /dev/null +++ b/pkg/scanners/scan_limacharlie.go @@ -0,0 +1,28 @@ +package scanners + +import "github.com/FourCoreLabs/EDRHunt/pkg/resources" + +type LimacharlieDetection struct{} + +func (w *LimacharlieDetection) Name() string { + return "Limacharlie EDR" +} + +func (w *LimacharlieDetection) Type() resources.EDRType { + return resources.LimacharlieEDR +} + +var LimacharlieHeuristic = []string{ + "lc_sensor.exe", + "refractionPOINT HCP", + "LimaCharlie", +} + +func (w *LimacharlieDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { + _, ok := data.CountMatchesAll(LimacharlieHeuristic) + if !ok { + return "", false + } + + return resources.DeepInstinctEDR, true +} diff --git a/pkg/scanners/scanner.go b/pkg/scanners/scanner.go index b880568..f6e8f72 100644 --- a/pkg/scanners/scanner.go +++ b/pkg/scanners/scanner.go @@ -25,5 +25,6 @@ var ( &SophosDetection{}, &FortinetDetection{}, &MalwareBytesDetection{}, + &LimacharlieDetection{}, } )