LOKI
Simple Indicators of Compromise and Incident Response Scanner
Loki Scanner
A simple IOC (Indicator of Compromise) scanner for detecting APTs and other threats.
Features
- Loki Scan: Identifies potential threats using a combination of regex patterns and Yara rules.
- Regin Matches: Detects Regin malware variants based on specific characteristics.
- Regin False Positives: Reduces false positives by analyzing system information and process details.
- Hash-based IOCs: Scans for known malicious hashes in files and registry entries.
- File Name-based IOCs: Identifies suspicious file names and extensions.
Screenshots
- Loki Scan
- Regin Matches
- Regin False Positives
- Hash-based IOCs
- File Name-based IOCs
- Generated log file
Contact
- Visit our company homepage for more information: https://www.nextron-systems.com/loki/
- Follow us on Twitter: @cyb3rOps, @thor_scanner
Compile the Scanner
- Download PyInstaller and execute:
python ./pyinstaller.py -F C:\path\to\loki.py - This will create a
loki.exein the subfolder./loki/dist
Pro Tip (optional)
- To include msvcr100.dll for improved target OS compatibility, modify the file
./loki/loki.specas follows:
a.binaries + [('msvcr100.dll', 'C:\Windows\System32\msvcr100.dll', 'BINARY')],
Use LOKI on Mac OS X (or later) or Linux
- Initialize a Python virtual environment for Loki.
- Install required libraries:
pip install colorama yara-python psutil rfc5424-logging-handler netaddr - Run loki-upgrader.py
- Run Loki with the following command:
sudo python loki.py
Yara Sources
- Download Yara sources from here
Antivirus - False Positives
- The compiled scanner may be detected by antivirus engines due to its compiled nature.
- If you don't trust the compiled executable, compile it yourself.
License
- Loki: Simple IOC Scanner
- Copyright (c) 2015 Florian Roth
- This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/
> Visit LOKI Website <