Loki - Simple IOC and YARA Scanner
GPL-3.0 License
Bot releases are hidden (Show)
Published by Neo23x0 over 7 years ago
loki-upgrader.exe
(loki-upgrader.py
) that allows upgrading the loki.exe
program executableThe upgrader allows upgrading program and signature files. The --update
parameter in previous versions did only update the signature-base
subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the loki.exe
program executable.
You can use the upgrader separately or start LOKI with the --update
parameter. Using the --update
parameter will spawn a new loki-upgrader
process and exit the loki
process in order to update the program files.
usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
[--debug]
Loki - Upgrader
optional arguments:
-h, --help show this help message and exit
-l log-file Log file
--sigsonly Update the signatures only
--progonly Update the program files only
--nolog Don't write a local log file
--debug Debug output
The new format extends the existing format by a third column that allows to include a regular expression to filter the matches.
This allows to define signatures for suspicious file locations, e.g.:
Regex;Score;False Positive Regex
\\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe
(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware)
The first signature matches on ncat.exe
files that are NOT located in bin
or sbin
folders. The second one matches on all MsMpEng.exe
executables found outside the three folders defined in the false positive expression.
This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's post on threat hunting and his AppCompatProcessor Repo for interesting ideas on suspicious executable file locations.
The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI.
Published by Neo23x0 over 7 years ago
Published by Neo23x0 over 7 years ago
Published by Neo23x0 over 7 years ago
Published by Neo23x0 over 7 years ago
[INFO] Retrieving signature database from git repo https://github.com/Neo23x0/signature-base
[INFO] Downloading https://github.com/Neo23x0/signature-base/archive/master.zip ...
[INFO] New signature file: apt_servantshell.yar
[INFO] Update successful
Published by Neo23x0 over 7 years ago
Published by Neo23x0 almost 8 years ago
Bugfix Release
Published by Neo23x0 almost 8 years ago
New 0.18.1
From 0.18.0
Published by Neo23x0 about 8 years ago
Published by Neo23x0 over 8 years ago
DISCLAIMER
Use on your own risk in production environments!
There are some files and directories that should not be read by scanners like LOKI. Those folders and files receive a special treatment by THOR and are not automatically excluded or skipped by LOKI.
Please see the following links for more details:
Windows
https://support.microsoft.com/en-us/kb/822158
Citrix
https://www.citrix.com/blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/
Other 3rd party products
https://esupport.trendmicro.com/solution/en-US/1059795.aspx