Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Loki, starting IOC discovering

Andrea Cavallini : 2 May 2024 12:11

Today is always more important and significant to be efficient in controlling our own infrastructures; actions to put in place for this verification process shall require both proactive and post-action approach: the last aspect is fundamental when an attack or in general any malicious behavior is conducted on a targeted system and we have to know all about this action, from its start to its finalization. The paradigm “it’s happened and I have to know all about it” is checked as well by Loki.

Loki is an open source tool, developed in Python by Florian Roth (aka Neo23x0) and it is a very simple and usable tool suite for IOC (Indicator of compromization) discovery in our own systems. The strength of Loki is the interaction with a dynamic set of rules freely updateable that is applied to filesystem elements and not only (for example on Windows side it inspects even the shared memory for example); users can customize rules or write new ones in order to be constantly updated with the latest IOC patterns.

As mentioned in Florian Roth’s official repo, the detection is based on four search methods:

  • File Name IOC, using regex match on full file path/name to search specific filename
  • Yara Rule Checksum, using Yara signature match on file data and process memory
  • Hash Check, comparing known malicious hashes (MD5, SHA1, SHA256) with scanned
    files
  • C2 Back Connect Check, comparing process connection endpoints with C2 IOCs

Sei un Esperto di Formazione?
Entra anche tu nel Partner program!
Accedi alla sezione riservata ai Creator sulla nostra Academy e scopri i vantaggi riservati ai membri del Partner program.
Per ulteriori informazioni, scrivici ad [email protected] oppure su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

Loki can be run on Linux, Mac and Windows locally only. My forked version provides the possibility to run centrally locally with the implementation of –ip option: this tries to map a remote filesystem through SSH connection (SSHFS package is required) and assumes this mapping as scan starting point. This is very useful for centralized infrastructures in order to collect in one single point every scan results, with addition of the new –locallogging option it is even possible to redirect log into Syslog/Event Viewer in order to collect data as operative system logs.

Andrea Cavallini
Since forever cybersecurity lover and hacking in general, he began his career in IT and then moved on to applications and control systems development; he mainly deals about solutions for critical infrastructures providing, writes digital topics for Red Team and Blue Team themes and develops open source solutions related to cybersecurity world.
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.