LOKI - SCANNER FOR SIMPLE INDICATORS OF COMPROMISE
Simple IOC Scanner
Detection is based on four detection methods:
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature match on file data and process memory
3. Hash check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.Run
- Download the program archive via the button "Download ZIP" on the right sidebar
- Unpack LOKI locally
- Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
- Right-click on loki.exe and select "Run as Administrator" or open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)
Reports
- The resulting report will show a GREEN, YELLOW or RED result line.
- Please analyse the findings yourself by:
- uploading non-confidential samples to Virustotal.com
- Search the web for the filename
- Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
- Search the web for the MD5 hash of the sample
- Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)
Usage
usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll] [--noprocscan]
[--nofilescan] [--noindicator] [--debug]
Loki - Simple IOC Scanner
optional arguments:
-h, --help show this help message and exit
-p path Path to scan
-s kilobyte Maximum file site to check in KB (default 2000 KB)
--printAll Print all files that are scanned
--noprocscan Skip the process scan
--nofilescan Skip the file scan
--noindicator Do not show a progress indicator
--debug Debug output
Aucun commentaire:
Enregistrer un commentaire