• Stars
    star
    3,321
  • Rank 13,500 (Top 0.3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 10 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Loki - Simple IOC and YARA Scanner

Inactively Maintained

Important Note

This project is only inactively maintained. This means that I merge pull request for bug fixes and issues that can be easily integrated but I don't have the time to add new features or extend existing ones. For years, I've been working on a much more sohpisticated scanner called THOR. There is a free version of THOR Lite available. THOR Lite is faster, more stable, tested in our CI environments and simply the better solution. You can find a comparison of the open source, free and commercial scanner here. I've also started working on a Rust-based version of LOKI called LOKI 2 but I have no idea when it's in a state that reflects the current feature set of LOKI. A while ago I made a flow chart to help you with the decision which scanner to use.

Logo

Loki - Simple IOC and YARA Scanner

Scanner for Simple Indicators of Compromise

Detection is based on four detection methods:

1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash Check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
   
4. C2 Back Connect Check
   Compares process connection endpoints with C2 IOCs (new since version v.10)

Additional Checks:

1. Regin filesystem check (via --reginfs)
2. Process anomaly check (based on [Sysforensics](http://goo.gl/P99QZQ)
3. SWF decompressed scan (new since version v0.8)
4. SAM dump check

The Windows binary is compiled with PyInstaller and should run as x86 application on both x86 and x64 based systems.

How-To Run LOKI and Analyse the Reports

Run

  • Download the newest version of LOKI from the releases section
  • Extract the program package
  • Run loki-upgrader.exe on system with Internet access to retrieve the newest signatures
  • Bring the program folder to a target system that should be scanned: removable media, network share, folder on target system
  • Open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports

  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Requirements

No requirements if you use the compiled EXE.

If you want to build it yourself:

Usage

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help            show this help message and exit
  -p path               Path to scan
  -s kilobyte           Maximum file size to check in KB (default 5000 KB)
  -l log-file           Log file
  -r remote-loghost     Remote syslog system
  -t remote-syslog-port
                        Remote syslog port
  -a alert-level        Alert score
  -w warning-level      Warning score
  -n notice-level       Notice score
  --allhds              Scan all local hard drives (Windows only)
  --alldrives           Scan all drives (including network drives and
                        removable media)
  --printall            Print all files that are scanned
  --allreasons          Print all reasons that caused the score
  --noprocscan          Skip the process scan
  --nofilescan          Skip the file scan
  --vulnchecks          Run the vulnerability checks
  --nolevcheck          Skip the Levenshtein distance check
  --scriptanalysis      Statistical analysis for scripts to detect obfuscated
                        code (beta)
  --rootkit             Skip the rootkit check
  --noindicator         Do not show a progress indicator
  --dontwait            Do not wait on exit
  --intense             Intense scan mode (also scan unknown file types and
                        all extensions)
  --csv                 Write CSV log format to STDOUT (machine processing)
  --onlyrelevant        Only print warnings or alerts
  --nolog               Don't write a local log file
  --update              Update the signatures from the "signature-base" sub
                        repository
  --debug               Debug output
  --maxworkingset MAXWORKINGSET
                        Maximum working set size of processes to scan (in MB,
                        default 100 MB)
  --syslogtcp           Use TCP instead of UDP for syslog logging
  --logfolder log-folder
                        Folder to use for logging when log file is not
                        specified
  --nopesieve           Do not perform pe-sieve scans
  --pesieveshellc       Perform pe-sieve shellcode scan
  --nolisten            Dot not show listening connections
  --excludeprocess EXCLUDEPROCESS
                        Specify an executable name to exclude from scans, can
                        be used multiple times
  --force               Force the scan on a certain folder (even if excluded
                        with hard exclude in LOKI's code

Signature and IOCs

Since version 0.15 the Yara signatures reside in the sub-repository signature-base. You will not get the sub-repository by downloading the LOKI as ZIP file. It will be included when you clone the repository.

The IOC files for hashes and filenames are stored in the './signature-base/iocs' folder. All '.yar' files placed in the './signature-base/yara' folder will be initialized together with the rule set that is already included. Use the 'score' value to define the level of the message upon a signature match.

You can add hash, c2 and filename IOCs by adding files to the './signature-base/iocs' subfolder. All hash IOCs and filename IOC files must be in the format used by LOKI (see the default files). The files must have the strings "hash", "filename" or "c2" in their name to get pulled during initialization.

For Hash IOCs (divided by newline; hash type is detected automatically)

Hash;Description [Reference]

For Filename IOCs (divided by newline)

# (optional) Description [Reference]
Filename as Regex[;Score as integer[;False-positive as Regex]]

User-Defined Scan Excludes

Since version v0.16.2 LOKI supports the definition of user-defined excludes via "excludes.cfg" in the new "./config" folder. Each line represents a regular expression that gets applied to the full file path during the directory walk. This way you can exclude certain directories regardless of their drive name, file extensions in certain folders and all files and directories that belong to a product that is sensitive to antivirus scanning.

The '''exclude.cfg''' looks like this:

# Excluded directories
#
# - add directories you want to exclude from the scan
# - double escape back slashes
# - values are case-insensitive
# - remember to use back slashes on Windows and slashes on Linux / Unix / OSX
# - each line contains a regex that matches somewhere in the full path (case insensitive)
#   e.g.:
#   Regex: \\System32\\
#   Matches C:\Windows\System32\cmd.exe
#
#   Regex: /var/log/[^/]+\.log
#   Matches: /var/log/test.log
#   Not Matches: /var/log/test.gz
#

# Useful examples
\\Ntfrs\\
\\Ntds\\
\\EDB[^\.]+\.log
Sysvol\\Staging\\Nntfrs_cmp
\\System Volume Information\\DFSR

Screenshots

Loki Scan

Screen

Regin Matches

Screen

Regin False Positives

Screen

Hash based IOCs

Screen

File Name based IOCs

Screen

Generated log file

Screen

Contact

LOKI scanner on our company homepage https://www.nextron-systems.com/loki/

Twitter @cyb3rOps @thor_scanner

If you are interested in a corporate solution for APT scanning, check out Loki's big brother THOR.

Compile the Scanner

Download PyInstaller, switch to the pyinstaller program directory and execute:

python ./pyinstaller.py -F C:\path\to\loki.py

This will create a loki.exe in the subfolder ./loki/dist.

Pro Tip (optional)

To include the msvcr100.dll to improve the target os compatibility change the line in the file ./loki/loki.spec that contains a.binaries, to the following:

a.binaries + [('msvcr100.dll', 'C:\Windows\System32\msvcr100.dll', 'BINARY')],

Use LOKI on Mac OS X (Or later) or Linux

  • Install libraries sudo pip install colorama yara-python psutil rfc5424-logging-handler netaddr
  • Run loki-upgrader.py sudo python loki-upgrader.py
  • Run loki sudo python loki.py

Yara sources

Download Yara sources from here

Antivirus - False Positives

The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.

If you don't trust the compiled executable, please compile it yourself.

License

Loki - Simple IOC Scanner Copyright (c) 2015 Florian Roth

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/

More Repositories

1

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
2

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
3

auditd

Best Practice Auditd Configuration
1,448
star
4

Raccine

A Simple Ransomware Vaccine
C++
945
star
5

munin

Online hash checker for Virustotal and other services
Python
809
star
6

log4shell-detector

Detector for Log4Shell exploitation attempts
Python
729
star
7

Fenrir

Simple Bash IOC Scanner
Shell
680
star
8

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
9

vti-dorks

Awesome VirusTotal Intelligence Search Queries
325
star
10

Fnord

Pattern Extractor for Obfuscated Code
Shell
295
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naiveté in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star