Loki v0.28.2 – Simple IOC and Incident Response Scanner

0
0

Loki is a Scanner for Simple Indicators of Compromise. Currently the detection is based on four detection methods:

  1. File Name IOC – Regex match on full file path/name
  2. Yara Rule Check -Yara signature match on file data and process memory
  3. Hash check – Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
  4. C2 Back Connect Check – Compares process connection endpoints with C2 IOCs (new since version v.10)
Loki v0.28.2 – Simple IOC and Incident Response Scanner

Loki v0.28.2 – Simple IOC and Incident Response Scanner

Additional Checks:

  1. Regin filesystem check (via –reginfs)
  2. Process anomaly check (based on Sysforensics)
  3. SWF decompressed scan (new since version v0.8)
  4. SAM dump check
  5. DoublePulsar check – tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp
  6. PE-Sieve process check

The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems. You can read more and download this tool over here: https://github.com/Neo23x0/

Share