Loki

• Performance improved hash search provided by @2d4d in https://github.com/Neo23x0/Loki/pull/153

• Upgraded PE-Sieve and PE-Sieve event handling by @hasherezade

• Skip incompatible rules from ReversingLabs (blocklist.yara with YARA 4 syntax)
• Support for new C2 IOC file format

• Fixes problems with upgrader since ReversingLabs decided to rename the master branch

• Integration of YARA rules provided by Reversing Labs
• PE-Sieve upgrade to version 0.2.7.1

• Upgrade to PE-Sieve 0.2.7
• Fixed some bugs and false positives

• Upgraded PE Sieve to v0.2.6.1
• Changed hooked to patched to comply with ne PESieve JSON output field

• Upgrade PE-Sieve to v0.2.5

• PESieve update to v0.2.4

• fix: fixing handle access error in PE-Sieve scan

• fix: prebuilt loki.exe binary in 0.30.2 release was built from source code of 0.30.1 (still had shellcode detection as default)

• Making PE-Sieve shellcode search optional #134

(pre-build binary was still 0.30.1)

fix: issue with PyInstaller including pyconfig.h

WARNING: file already exists but should not: C:\Users\...\AppData\Local\Temp\_MEI31642\include\pyconfig.h

Changes due to pull requests by @s3c

• Added --syslogtcp, allowing TCP syslog servers, was easier with our Splunk setup
• Included pywin32, setuptools==19.2, and rfc5424-logging-handler in pip command, latter to enable rfc5424 compatible syslog logging
• Fixed exception handler for #51 (not sure why this triggered for me since there is a check before this func is called in init, might be because subfolder didn't exist for some reason)
• Added date and time to default filename
• Added ability to specify log directory independant of filename, which is useful for automation that pushes logs to a fileshare (the new default filename which contains the hostname and time is used)
• Added OS path conversion for portability, needed for parsing data within SOAR platform as well as running loki from a webdav share (so we don't have to store any files on the host)
• Enabled pe-sieve shellcode search, nice extra check
• Added some argument sanity checking
• Added rfc5424logging compatible syslog logging (splunk parsing with linux_messages_syslog)
• Made minor changes to logging output to allow Splunk to easily parse syslog messages (just removed a colon)
• Renamed command line flag --printAll to lowercase, to match format of others
• Updated build script for python x64 compatibility
• Added process name whitelist, and switch to disable pesieve, since some EDR solutions get really upset when you touch them
• Added switch to ignore network comms checks

Change by me

• Upgrade to PE-Sieve version 0.2.2

• Upgraded PE-Sieve version from 0.1.6 to 0.1.7

• Upgraded PE-Sieve version from 1.4.3 to 1.6.0

• Feature: New Plugin Framework provided by @DidierStevens
• Bugfix: Generic method to avoid unicode decode errors

• Upgraded PE-Sieve to v0.1.4.3

• Minor bugfix: handle cases in which PESieve didn't produce JSON output (some error)

• Don't show every rule during startup but only a count (use --debug to see them)
• LOKI upgrader allows a signature clean-up to handle errors caused by old (most likely renamed) rules (--clean)
• Bugfix: Exclude LOKI's processes from checks
• Bugfix: Error fix in loki-upgrader (cannot create output directory)