Scanning for Indications of Compromise with Loki

This post is about Loki which is a scanner to detect indications of compromise.

It has four base scanning methods:

1. File Name IOC Regex match on full file path/name

2. Yara Rule Check Yara signature match on file data and process memory

3. Hash Check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check Compares process connection endpoints with C2 IOCs (new since version v.10)

Installation

• You can get compiled binaries here: https://github.com/Neo23x0/Loki/releases
• Linux and OS X: https://github.com/Neo23x0/Loki#use-loki-on-mac-os-x-or-later-or-linux

Rest of my examples are from a Windows installation, but the basics are same in Linux and OS X. When you have Loki set up, run its upgrader package to update IoC files:

loki-upgrader.exe

Signature files are downloaded from here: https://github.com/Neo23x0/signature-base

Scanning

You can do a basic scan by simply running the loki.exe from Command Prompt. Usually you would want to run it with administrative privileges. The program will run without those, but it will certainly miss a lot if you are scanning the whole system or the user don’t have access to specific files you’d like to scan.

There are bunch of options to fine tune your scans if you check loki.exe --help.

options:
  -h, --help            show this help message and exit
  -p path               Path to scan
  -s kilobyte           Maximum file size to check in KB (default 5000 KB)
  -l log-file           Log file
  -r remote-loghost     Remote syslog system
  -t remote-syslog-port
                        Remote syslog port
  -a alert-level        Alert score
  -w warning-level      Warning score
  -n notice-level       Notice score
  --allhds              Scan all local hard drives (Windows only)
  --alldrives           Scan all drives (including network drives and removable media)
  --printall            Print all files that are scanned
  --allreasons          Print all reasons that caused the score
  --noprocscan          Skip the process scan
  --nofilescan          Skip the file scan
  --vulnchecks          Run the vulnerability checks
  --nolevcheck          Skip the Levenshtein distance check
  --scriptanalysis      Statistical analysis for scripts to detect obfuscated code (beta)
  --rootkit             Skip the rootkit check
  --noindicator         Do not show a progress indicator
  --dontwait            Do not wait on exit
  --intense             Intense scan mode (also scan unknown file types and all extensions)
  --csv                 Write CSV log format to STDOUT (machine processing)
  --onlyrelevant        Only print warnings or alerts
  --nolog               Don't write a local log file
  --update              Update the signatures from the "signature-base" sub repository
  --debug               Debug output
  --maxworkingset MAXWORKINGSET
                        Maximum working set size of processes to scan (in MB, default 100 MB)
  --syslogtcp           Use TCP instead of UDP for syslog logging
  --logfolder log-folder
                        Folder to use for logging when log file is not specified
  --nopesieve           Do not perform pe-sieve scans
  --pesieveshellc       Perform pe-sieve shellcode scan
  --python PYTHON       Override default python path
  --nolisten            Dot not show listening connections
  --excludeprocess EXCLUDEPROCESS
                        Specify an executable name to exclude from scans, can be used multiple times
  --force               Force the scan on a certain folder (even if excluded with hard exclude in LOKI's code
  --version             Shows welcome text and version of loki, then exit

Exclude directories and files

Modify config\excludes.cfg to exclude paths in scans. The file has instructions in its comments for the correct syntax.

Reporting

By default Loki prints it output to STDOUT and writes log file with filename pattern loki_<hostname>_date.

The output is quite verbose by default. There are messages with levels NOTICE (blue), INFO (green), WARNING (orange) and ALERT (red). Specify --onlyrelevant if you want to supress verbosity. With this option Loki will print only warnings and alerts.

With option --csv you will only get CSV formatted output. This can be really useful in running automated scans as part of some pipeline.

There’s also an option to send messages to remote syslog server.

loki.exe -r 127.0.0.1 -t 5140 --onlyrelevant

This will send “relevant” events to localhost:5140 using UDP. Set --syslogtcp if you want to use TCP instead of UDP.

Static scan

One interesting use case could be “static” scan in a disposable OS installation where you just want to scan some external material (e.g. from USB drive) without otherwise focusing on the running system. Think it like having a seperate AV scanning machine. Something like the command below could be quite good for this. It disables process scan and rootkin check and just scans the specified path like D:\ in the example.

loki.exe --noprocscan --rootkit --intense --onlyrelevant -p D:\

Example alerts

Here are some examples from alerts.