Loki - Simple IOC and Incident Response Scanner
Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR.
Detection is based on four detection methods:- File Name IOC
- Yara Rule Check
- Hash check
- C2 Back Connect Check
Additional Checks:
- Regin filesystem check (via --reginfs)
- Process anomaly check (based on Sysforensics)
- SWF decompressed scan (new since version v0.8)
- SAM dump check
- DoublePulsar check - tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp
- PE-Sieve process check
How-To Run LOKI and Analyse the Reports
Run:
Reports:
- Download the latest LOKI version
- Run it once to retrieve the latest signature base repository
- Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
- Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)
Reports:
- The resulting report will show a GREEN, YELLOW or RED result line.
- Please analyze the findings yourself by:
- uploading non-confidential samples to Virustotal.com
- Search the web for the filename
- Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
- Search the web for the MD5 hash of the sample
- Search in my customer APT search engine for file names or identifiers
- Please report back false positives via the Issues section (mention the false positive indicator like a hash and/or filename and the rule name that triggered)
Usage:
loki.exe [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
[-a alert-level] [-w warning-level] [-n notice-level]
[--printAll] [--allreasons] [--noprocscan] [--nofilescan]
[--scriptanalysis] [--rootkit] [--noindicator] [--reginfs]
[--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
[--update] [--debug]
Loki - Simple IOC Scanner
optional arguments:
-h, --help show this help message and exit
-p path Path to scan
-s kilobyte Maximum file size to check in KB (default 5000 KB)
-l log-file Log file
-r remote-loghost Remote syslog system
-a alert-level Alert score
-w warning-level Warning score
-n notice-level Notice score
--printAll Print all files that are scanned
--allreasons Print all reasons that caused the score
--noprocscan Skip the process scan
--nofilescan Skip the file scan
--scriptanalysis Activate script analysis (beta)
--rootkit Skip the rootkit check
--noindicator Do not show a progress indicator
--reginfs Do check for Regin virtual file system
--dontwait Do not wait on exit
--intense Intense scan mode (also scan unknown file types and all
extensions)
--csv Write CSV log format to STDOUT (machine prcoessing)
--onlyrelevant Only print warnings or alerts
--nolog Don't write a local log file
--update Update the signatures from the "signature-base" sub
repository
--debug Debug output
Update:
LOKI includes a separate updater tool named loki-upgrader.exe or loki-upgrader.py.usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
[--debug]
Loki - Upgrader
optional arguments:
-h, --help show this help message and exit
-l log-file Log file
--sigsonly Update the signatures only
--progonly Update the program files only
--nolog Don't write a local log file
--debug Debug output It allows you to update the compiled loki.exe for Windows and the signature-based sources.
When running loki.exe --update it will create a new upgrader process and exits LOKI in order to replace the loki.exe with the newer one, which would be locked otherwise.
Source: www.effecthacking.com
Loki - Simple IOC and Incident Response Scanner
Reviewed by Anonymous
on
1:04 AM
Rating:
Reviewed by Anonymous
on
1:04 AM
Rating:
