LOKI Free IOC Scanner

lokiiconLOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. IOC stands for „Indicators of Compromise“. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab.

LOKI offers a simple way to scan your systems for known IOCs.

It supports these different types of indicators:

  • MD5 / SHA1 / SHA256 hashes
  • Yara Rules (applied to file data and process memory)
  • Hard Indicator Filenames based on Regular Expression (e.g. \\pwdump\.exe)
  • Soft Indicator Filenames based on Regular Expressions (e.g. Windows\\[\w]\.exe)

You find a full feature comparison on the THOR APT Scanner description page.

ishot-150124-175215

LOKI Simple IOC Scanner – Command Line View

Rule Sets

LOKI features some of the most effective rules borrowed from the rule sets of our famous THOR APT Scanner. We decided to integrate a lot of webshell rules as even the best Antivirus engines fail to detect most of them. We put almost half of our hacktool rule set into the rule base as well.

The IOC signature database is not encrypted or stored in a proprietary format.You can edit the signature database yourself and add your own IOCs. Be advised that attackers may also get access to these rules on the target systems if you use the scanner and leave the package on a compromised system.

LOKI Signatures

LOKI Signature Database Files

Using LOKI

You can easily add you own sample hashes, filename characteristics and Yara rules to the rulesets we bundled with it.

The most common use case is a so called „Triage“ or „APT Scan“ scenario in which you scan all your machines to identify threats that haven’t been detected by common Antivirus solutions. You can roll out LOKI like any other software using your preferred method or offer it on a network share. LOKI can than be started via Scheduled Task (GPO). You can simply run it using the UNC path „\\system\share\loki.exe“.

Another scenario is the use in a forensic lab. Scan mounted images with LOKI to identify known threats using the provided IOC definitions.

We quickly add IOCs derived from important threat reports to our rule sets (e.g. Regin, Skeleton Key). Use LOKI to check the integrity of your systems fast and target-oriented.

Logging

LOKI features a simple log file output in the format created by syslog daemons.

LOKI IOC Scanner

LOKI Simple IOC Scanner Log File

Three Different Result Types

At the end of the scan LOKI generates a scan result. This result can be:

  • System seems to be clean.
  • Suspicious objects detected!
  • Indicators detected!
Systems seems to be clean

LOKI Scan – Systems seems to be clean

Detect suspicious systems

LOKI Scan – Suspicious objects detected

Detect infected systems with IOCs

Loki Scan – Indicators detected

Support

Professional support is not included. Please use the issues section on the Github project page to submit bug reports. If you need a professional tool with professional support, choose our APT Scanner THOR.

Download

LOKI is hosted on Github. Download it from the project page.

Disclaimer

You use LOKI on your own risk.

LOKI does not support throttling and no feature to adapt the performance to the actual system resources as our APT Scanner THOR. LOKI does not support AES256 encrypted signature files. Make sure that you completely remove the package from the target system in order to avoid that attackers gain knowledge of the indicators with which you are trying to detect them.

License

Loki – Simple IOC Scanner
Copyright (c) 2015 Florian Roth

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see [http://www.gnu.org/licenses/](http://www.gnu.org/licenses/)