Windows
- 29 Aug 2024
- 1 Minute to read
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
Windows
- Updated on 29 Aug 2024
- 1 Minute to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
LimaCharlie's Windows sensor is one of the EDR-class sensors. It interfaces with the kernel to acquire deep visibility into the host's activity while taking measures to preserve the host's performance.
Supports Windows XP 32 bit and up.
Installation Instructions
Sensor installation instructions can be found here.
Supported Events
AUTORUN_CHANGECLOUD_NOTIFICATIONCODE_IDENTITYCONNECTEDDATA_DROPPEDDISCONNECTEDDNS_REQUESTDRIVER_CHANGEEXISTING_PROCESSFILE_CREATEFILE_DELETEFILE_MODIFIEDFILE_TYPE_ACCESSEDFIM_ADDFIM_HITHIDDEN_MODULE_DETECTEDMODULE_LOADMODULE_MEM_DISK_MISMATCHNETWORK_CONNECTIONSNETWORK_SUMMARYNEW_DOCUMENTNEW_NAMED_PIPENEW_PROCESSNEW_REMOTE_THREADNEW_TCP4_CONNECTIONNEW_UDP4_CONNECTIONNEW_TCP6_CONNECTIONNEW_UDP6_CONNECTIONOPEN_NAMED_PIPEPROCESS_ENVIRONMENTRECEIPTREGISTRY_CREATEREGISTRY_DELETEREGISTRY_WRITEREMOTE_PROCESS_HANDLESENSITIVE_PROCESS_ACCESSSERVICE_CHANGESHUTTING_DOWNSTARTING_UPTERMINATE_PROCESSTERMINATE_TCP4_CONNECTIONTERMINATE_UDP4_CONNECTIONTERMINATE_TCP6_CONNECTIONTERMINATE_UDP6_CONNECTIONTHREAD_INJECTIONUSER_OBSERVEDVOLUME_MOUNTVOLUME_UNMOUNTWELYARA_DETECTION
Supported Commands
artifact_getdeny_treedir_find_hashdir_listdns_resolvedoc_cache_getexfil_addexfil_delexfil_getfile_delfile_getfile_hashfile_infofile_movfim_addfim_delfim_gethidden_module_scanhistory_dumpmem_find_handlemem_find_stringmem_handlesmem_mapmem_readmem_stringsnetstatos_autorunsos_driversos_kill_processos_packagesos_processesos_resumeos_servicesos_suspendos_usersos_versionputreg_listrejoin_networkrestartrunsegregate_networkset_performance_modeuninstallyara_scanyara_update
Artifacts
Given configured paths to collect from, the Windows sensor can batch upload logs / artifacts directly from the host.
Learn more about collecting Artifacts here.
Payloads
For more complex needs not supported by Events, Artifacts, or Commands, it's possible to execute payloads on hosts via the Windows sensor.
Learn more about executing Payloads here.
Microsoft Defender
The Windows sensor can listen, alert, and automate based on various Defender events.
This is done by ingesting artifacts from the Defender Event Log Source and using Detection & Response rules to take the appropriate action.
A config template to alert on the common Defender events of interest is available here. The template can be used in conjunction with Infrastructure Service or its user interface in the web app.
Specifically, the template alerts on the following Defender events:
- windows-defender-malware-detected (
event ID 1006) - windows-defender-history-deleted (
event ID 1013) - windows-defender-behavior-detected (
event ID 1015) - windows-defender-activity-detected (
event ID 1116)
Was this article helpful?