The Infocyte extension system is built on top of Lua 5.3, which provides an easy to deploy, cross-platform, and feature-rich library of built-in functions. This includes file system, string, I/O, math, operations (among others). Refer to the Lua Reference Manual for detailed documentation on usage or you can click here for Lua tutorials. In addition to the Lua standard library, Infocyte exposes capabilities of its' agent and endpoint collector ("Survey") that make interacting with host operating systems more powerful and convenient. This extended language is the real engine that powers the extension system. With these enhancements, extension authors can easily perform web requests, access the Windows registry, terminate running processes, even add items to the existing result set retrieved by the platform's standard host collection routine. Examples also exist to call other types of scripts like Powershell, Python, or Bash depending on the availability of the relevant interpreter on the host. There are currently two types of extensions supported: Collection & Response.
Collection extensions extend what is collected or inspected at scan time. This can be additional registry keys or files to be analyzed or YARA signatures to be used on the host side. Threat statuses can be flagged based on your logic and text fields are available for arbitrary data collection up to 3MB in size. For large evidence collection, we will have functions available to push data directly from the host to a user-provided AWS S3 Bucket, sFTP, or SMB share.
Response extensions cause direct changes to remote systems. These can be remediation actions like host isolation, malware killing, host hardening routines (like changing local logging configurations), or other installing 3rd party tools.
After logging into your Infocyte instance (with an administrator role) simply navigate to
Here you will see a list of extensions created by Infocyte.
- To enable the use of our extensions you must make sure you click the "Active" column to make the extension available for use (only available to Admins).
- After the extension is in the "Active" state it can be selected to run during your next scan whether it be scheduled, differential, or manual.
- Once an extension is placed into the "Selected Extensions" column it will execute during the scan.
Creating your own extension (only available to Admins):
- Select the "Add Extension" option on the extensions page.
2. Here you will give your custom extension a name, type, severity, and short description. Next, you will fill out the script body with your Lua code.
Once an extension is created and activated, it can be chosen for execution during a scan of a target group.
If you would like a deeper dive into the subject please visit our GitHub located here ---> Infocyte Extension-Docs