• Bugfix: Removed demo code

• Using the new JSON output of PE-Sieve by @hasherezade

• Added support for PESieve's "implanted" process detection

• Upgrade to PESieve v0.0.9.9.9

• Bugfix in process memory scan (thx to Didier)

• Log format of TEXT and SYSLOG output changed and now includes the reporting module
• Bugfix: Don't run PESieve on Windows XP

Log Format Changes

From:

LOKI: [Level]: [Message]

To:

LOKI: [Level]: MODULE: [Module] MESSAGE: [Message]

Splunk App & Add-on

The changes to the log format allow you to use the THOR Splunk App and Addon for your LOKI log file analysis

THOR App https://splunkbase.splunk.com/app/3717/
THOR Addon https://splunkbase.splunk.com/app/3718/

Make sure to:

1. Select the sourcetype "thor" for your inputs

2. Set the index to be "searched by default" if you create a new index

IMPORTANT: I will not support every dashboard but the App helps to you search and filter the LOKI results based on fields. The most important dashboard named "Universal Dashboard" should work. If you want to fix or improve other dashboard views, please send me your improvements. All this work (LOKI, the signatures and the Apps) are offered for free and most of the work is done in my spare time on weekends. Please consider this before reporting bugs in the dashboards that could be fixed in 2 minutes of your own time. If you want Enterprise grade tools and support, please visit our website and ask for a trial https://www.nextron-systems.com of such tools.

• Bugfix: Removed legacy code for old filename IOC format that caused problems with newest filename IOC format (many false positives with negative score values in "description" and a score of "60")

• New hash IOC whitelist
• Better hostname evaluation on Linux / OSX
• Code refactoring
• Better messages

• PE-Sieve integration - for more info see @hasherezade's tool page and blog post on process anomalies

• Support for encrypted private YARA rules (only available in custom build)
• Build with PyInstaller 3.3
• Build scripts and specs
• Bugfix: Python3 support refactoring broke a loki-upgrader.py section

• Various bugfixes
• Python3 compatibility

• Disabled IceWater YARA rule download until yara-python supports hash.md5() again (feature is missing in yara-python-3.6.3)

• Upgraded YARA from 3.5.0 to 3.6.2

The upgrade provides full support for PE module features used in LOKI's 'signature-base'.

Issues: with "pe.imphash"

• Integration of IceWater's public YARA signatures to improve the coverage of common malware families
• Showing 'references' in YARA rule matches

• Bugfix: Unicode filename passed to YARA matching as external variable

• Bugfix in filename parameter that is used in YARA matching

• Bugfix: Removed predefined string excludes

• Feature: Remote syslog logging feature (-r syslogserver)
• Feature: Statistical script analysis to detect obfuscated code (--scriptanalysis)
• Change: Reduced 'Warning' level score from 70 to 60

Send LOKI's logs to a remote syslog server (e.g. Splunk)

Script analysis (first POC; optional)

• Making Double Pulsar rootkit check optional (--rootkit) due to issue with Symantec Endpoint Protection

• Platform dependant line separator in log files (\r\n on Windows, \n on other platforms)
• System name in default log file (e.g. loki-WORKSTATION1.log)
• Bugfix: unicode characters in OSError messages during directory walk