Loki - Simple IOC and Incident Response Scanner.

Loki – Simple IOC and Incident Response Scanner.

Scanner for Simple Indicators of Compromise
Detection is based on four detection methods:
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature match on file data and process memory
3. Hash check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)

loki v0.15.5

loki v0.15.5

Loki currently includes the following IOCs:
+ Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)
+ Carbanak APT – Kaspersky Report (Hashes, Filename IOCs – no service detection and Yara rules)
+ Arid Viper APT – Trendmicro (Hashes)
+ Anthem APT Deep Panda Signatures (not officialy confirmed) (krebsonsecurity.com – see Blog Post)
+ Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
+ Five Eyes QUERTY Malware (Regin Keylogger Module – see: Kaspesky Report)
+ Skeleton Key Malware (other state-sponsored Malware) – Source: Dell SecureWorks Counter Threat Unit(TM)
+ WoolenGoldfish – (SHA1 hashes, Yara rules) Trendmicro Report
+ OpCleaver (Iranian APT campaign) – Source: Cylance
+ More than 180 hack tool Yara rules – Source: APT Scanner THOR
+ More than 600 web shell Yara rules – Source: APT Scanner THOR
+ Numerous suspicious file name regex signatures – Source: APT Scanner THOR
+ Much more … (cannot update the list as fast as I include new signatures)

loki help menu

loki help menu

Run:

Download: loki.zip
source: https://github.com/Neo23x0