Convert Figma logo to code with AI

Neo23x0 logoLoki

Loki - Simple IOC and YARA Scanner

3,335
576
3,335
30
View on GitHub

Top Related Projects

JPCERTCC's avatar

LogonTracer

2,693

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Cyb3rWard0g's avatar

HELK

3,741

The Hunting ELK

OTRF's avatar

ThreatHunter-Playbook

3,968

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

TheHive-Project's avatar

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

MISP's avatar

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

SigmaHQ's avatar

sigma

8,068

Main Sigma Rule Repository

Quick Overview

Loki is an open-source incident response and threat hunting tool developed by Florian Roth. It's designed to scan endpoints and log files for indicators of compromise (IOCs) using YARA rules and other detection methods. Loki aims to help security professionals detect malware, suspicious files, and potential security breaches on systems.

Pros

  • Lightweight and easy to deploy on various systems
  • Supports multiple detection methods, including YARA rules, filenames, hashes, and C2 backends
  • Regularly updated with new IOCs and detection rules
  • Can be integrated into existing security workflows and automation pipelines

Cons

  • May generate false positives, requiring manual investigation
  • Performance can be impacted when scanning large file systems or numerous endpoints
  • Requires regular updates to maintain effectiveness against new threats
  • Limited real-time monitoring capabilities compared to full-fledged EDR solutions

Getting Started

To get started with Loki:

  1. Clone the repository:

    git clone https://github.com/Neo23x0/Loki.git

  2. Install the required dependencies:

    cd Loki
pip install -r requirements.txt

  3. Update the signatures:

    python loki.py --update

  4. Run a scan on a specific directory:

    python loki.py -p /path/to/scan

For more advanced usage and configuration options, refer to the project's documentation on GitHub.

Competitor Comparisons

JPCERTCC logo

LogonTracer

2,693

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Pros of LogonTracer

  • Specialized in visualizing and analyzing Windows logon events
  • Provides a web-based interface for easy interaction and data exploration
  • Utilizes graph database (Neo4j) for efficient relationship mapping and querying

Cons of LogonTracer

  • Limited to Windows logon event analysis, less versatile than Loki
  • Requires additional setup (Neo4j database) and dependencies
  • May have a steeper learning curve for users unfamiliar with graph databases

Code Comparison

LogonTracer (Python):

def parse_evtx(evtx_file, output_file):
    parser = PyEvtxParser(evtx_file)
    for record in parser.records():
        event = json.loads(record['data'])
        # Process and write event data

Loki (Python):

def scan_path(path):
    for root, directories, files in os.walk(path):
        for file in files:
            file_path = os.path.join(root, file)
            self.scan_file(file_path)

LogonTracer focuses on parsing and processing Windows event logs, while Loki scans files and directories for indicators of compromise. LogonTracer's code is more specialized for event log analysis, whereas Loki's code is designed for broader file system scanning and threat detection.

Cyb3rWard0g logo

HELK

3,741

The Hunting ELK

Pros of HELK

  • Comprehensive hunting environment with multiple integrated tools
  • Built-in data visualization and analytics capabilities
  • Scalable architecture suitable for large-scale deployments

Cons of HELK

  • More complex setup and configuration process
  • Higher resource requirements for full functionality
  • Steeper learning curve for new users

Code Comparison

HELK (Logstash configuration example):

input {
  beats {
    port => 5044
  }
}
filter {
  json {
    source => "message"
  }
}

Loki (YARA rule example):

rule suspicious_powershell {
    strings:
        $a = "powershell.exe" nocase
        $b = "-encodedcommand" nocase
    condition:
        $a and $b
}

While both projects focus on threat detection, HELK provides a more comprehensive hunting platform with integrated analytics, whereas Loki offers a lightweight, easy-to-deploy scanner for IOCs and YARA rules. HELK is better suited for organizations with more resources and advanced hunting needs, while Loki is ideal for quick scans and smaller environments. The code examples highlight the different approaches: HELK uses log processing and analytics, while Loki employs signature-based detection.

OTRF logo

ThreatHunter-Playbook

3,968

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Pros of ThreatHunter-Playbook

  • Comprehensive threat hunting methodology with detailed playbooks
  • Covers a wide range of attack techniques and tactics
  • Integrates with MITRE ATT&CK framework for better context

Cons of ThreatHunter-Playbook

  • Requires more setup and configuration compared to Loki
  • May be overwhelming for beginners due to its extensive content
  • Less focused on immediate threat detection, more on long-term hunting strategies

Code Comparison

ThreatHunter-Playbook (Jupyter Notebook example):

from openhunt.logparser import winlogbeat
from openhunt.analytics import events
from openhunt.alerting import elastalert

# Parse Windows event logs
parsed_logs = winlogbeat.parse_logs('path/to/logs')

# Apply detection logic
suspicious_events = events.detect_suspicious_activity(parsed_logs)

# Generate alerts
elastalert.create_alert(suspicious_events)

Loki (Python script example):

import sys
from lib.lokilogger import LOKILogger
from lib.filehandling import FileHandler

# Initialize logger and file handler
logger = LOKILogger()
file_handler = FileHandler()

# Scan files for IOCs
for file in file_handler.get_files():
    if file_handler.check_file(file):
        logger.log("ALERT", "Suspicious file detected: %s" % file)
TheHive-Project logo

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Pros of TheHive

  • Comprehensive incident response platform with case management capabilities
  • Integrates with various security tools and threat intelligence sources
  • Supports collaboration among team members with real-time updates

Cons of TheHive

  • More complex setup and configuration compared to Loki
  • Requires additional infrastructure and resources to run effectively
  • Steeper learning curve for new users

Code Comparison

TheHive (Python):

def create_case(title, description, severity):
    case = Case(title=title, description=description, severity=severity)
    case.save()
    return case

Loki (Python):

def scan_path(path):
    for root, dirs, files in os.walk(path):
        for file in files:
            file_path = os.path.join(root, file)
            scan_file(file_path)

While TheHive focuses on case management and collaboration, Loki is primarily a scanner for detecting indicators of compromise. TheHive's code example demonstrates creating a case, while Loki's code shows its file scanning functionality. TheHive is better suited for larger teams and complex incident response workflows, whereas Loki is more lightweight and focused on quick, targeted scans for potential threats.

MISP logo

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • Comprehensive threat intelligence platform with extensive sharing capabilities
  • Large, active community contributing to threat intelligence
  • Supports various data formats and integrations with other security tools

Cons of MISP

  • More complex setup and maintenance compared to Loki
  • Steeper learning curve for new users
  • Requires more resources to run effectively

Code Comparison

MISP (Python):

from pymisp import PyMISP
misp = PyMISP(misp_url, misp_key, ssl=False)
event = misp.new_event(info='Suspicious Activity', distribution=0, threat_level_id=2, analysis=0)
misp.add_attribute(event, type_value='ip-dst', value='10.0.0.1')

Loki (Python):

import loki
scanner = loki.Scanner()
scanner.scan_path("/path/to/scan")
for result in scanner.get_results():
    print(result)

Summary

MISP is a comprehensive threat intelligence platform with powerful sharing capabilities, while Loki is a simpler, lightweight scanner for detecting IOCs. MISP offers more extensive features but requires more setup and resources, whereas Loki is easier to use but has more limited functionality. The choice between them depends on specific threat intelligence and scanning needs.

SigmaHQ logo

sigma

8,068

Main Sigma Rule Repository

Pros of Sigma

  • More versatile and can be used with various SIEM systems and log management tools
  • Larger community and more frequent updates, leading to a broader rule set
  • Supports conversion of rules to different formats, enhancing compatibility

Cons of Sigma

  • Requires additional tools or converters to implement rules in specific environments
  • May have a steeper learning curve for users new to the format
  • Less focused on specific IOCs compared to Loki's approach

Code Comparison

Sigma rule example:

title: Suspicious Process Creation
detection:
    selection:
        EventID: 1
        Image|endswith: '\cmd.exe'
    condition: selection

Loki rule example:

rule SuspiciousProcess {
    meta:
        description = "Detects suspicious process creation"
    strings:
        $proc = "cmd.exe"
    condition:
        $proc
}

While Sigma uses a YAML-based format for defining rules that can be converted to various SIEM queries, Loki employs a more straightforward, Python-like syntax focused on specific IOCs and file characteristics.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Inactively Maintained

Important Note

This project is only inactively maintained. This means that I merge pull request for bug fixes and issues that can be easily integrated but I don't have the time to add new features or extend existing ones. For years, I've been working on a much more sohpisticated scanner called THOR. There is a free version of THOR Lite available. THOR Lite is faster, more stable, tested in our CI environments and simply the better solution. You can find a comparison of the open source, free and commercial scanner here. I've also started working on a Rust-based version of LOKI called LOKI 2 but I have no idea when it's in a state that reflects the current feature set of LOKI. A while ago I made a flow chart to help you with the decision which scanner to use.

Logo

Loki - Simple IOC and YARA Scanner

Scanner for Simple Indicators of Compromise

Detection is based on four detection methods:

1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash Check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
   
4. C2 Back Connect Check
   Compares process connection endpoints with C2 IOCs (new since version v.10)

Additional Checks:

1. Regin filesystem check (via --reginfs)
2. Process anomaly check (based on [Sysforensics](http://goo.gl/P99QZQ)
3. SWF decompressed scan (new since version v0.8)
4. SAM dump check

The Windows binary is compiled with PyInstaller and should run as x86 application on both x86 and x64 based systems.

How-To Run LOKI and Analyse the Reports

Run

  • Download the newest version of LOKI from the releases section
  • Extract the program package
  • Run loki-upgrader.exe on system with Internet access to retrieve the newest signatures
  • Bring the program folder to a target system that should be scanned: removable media, network share, folder on target system
  • Open a command line "cmd.exe" as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Reports

  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyse the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for "Equation Group")
    4. Search the web for the MD5 hash of the sample
  • Please report back false positives via the "Issues" section, which is accessible via the right sidebar (mention the false positive indicator like a hash and/or filename and the rule name that triggered)

Requirements

No requirements if you use the compiled EXE.

If you want to build it yourself:

Usage

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help            show this help message and exit
  -p path               Path to scan
  -s kilobyte           Maximum file size to check in KB (default 5000 KB)
  -l log-file           Log file
  -r remote-loghost     Remote syslog system
  -t remote-syslog-port
                        Remote syslog port
  -a alert-level        Alert score
  -w warning-level      Warning score
  -n notice-level       Notice score
  --allhds              Scan all local hard drives (Windows only)
  --alldrives           Scan all drives (including network drives and
                        removable media)
  --printall            Print all files that are scanned
  --allreasons          Print all reasons that caused the score
  --noprocscan          Skip the process scan
  --nofilescan          Skip the file scan
  --vulnchecks          Run the vulnerability checks
  --nolevcheck          Skip the Levenshtein distance check
  --scriptanalysis      Statistical analysis for scripts to detect obfuscated
                        code (beta)
  --rootkit             Skip the rootkit check
  --noindicator         Do not show a progress indicator
  --dontwait            Do not wait on exit
  --intense             Intense scan mode (also scan unknown file types and
                        all extensions)
  --csv                 Write CSV log format to STDOUT (machine processing)
  --onlyrelevant        Only print warnings or alerts
  --nolog               Don't write a local log file
  --update              Update the signatures from the "signature-base" sub
                        repository
  --debug               Debug output
  --maxworkingset MAXWORKINGSET
                        Maximum working set size of processes to scan (in MB,
                        default 100 MB)
  --syslogtcp           Use TCP instead of UDP for syslog logging
  --logfolder log-folder
                        Folder to use for logging when log file is not
                        specified
  --nopesieve           Do not perform pe-sieve scans
  --pesieveshellc       Perform pe-sieve shellcode scan
  --nolisten            Dot not show listening connections
  --excludeprocess EXCLUDEPROCESS
                        Specify an executable name to exclude from scans, can
                        be used multiple times
  --force               Force the scan on a certain folder (even if excluded
                        with hard exclude in LOKI's code

Signature and IOCs

Since version 0.15 the Yara signatures reside in the sub-repository signature-base. You will not get the sub-repository by downloading the LOKI as ZIP file. It will be included when you clone the repository.

The IOC files for hashes and filenames are stored in the './signature-base/iocs' folder. All '.yar' files placed in the './signature-base/yara' folder will be initialized together with the rule set that is already included. Use the 'score' value to define the level of the message upon a signature match.

You can add hash, c2 and filename IOCs by adding files to the './signature-base/iocs' subfolder. All hash IOCs and filename IOC files must be in the format used by LOKI (see the default files). The files must have the strings "hash", "filename" or "c2" in their name to get pulled during initialization.

For Hash IOCs (divided by newline; hash type is detected automatically)

Hash;Description [Reference]

For Filename IOCs (divided by newline)

# (optional) Description [Reference]
Filename as Regex[;Score as integer[;False-positive as Regex]]

User-Defined Scan Excludes

Since version v0.16.2 LOKI supports the definition of user-defined excludes via "excludes.cfg" in the new "./config" folder. Each line represents a regular expression that gets applied to the full file path during the directory walk. This way you can exclude certain directories regardless of their drive name, file extensions in certain folders and all files and directories that belong to a product that is sensitive to antivirus scanning.

The '''exclude.cfg''' looks like this:

# Excluded directories
#
# - add directories you want to exclude from the scan
# - double escape back slashes
# - values are case-insensitive
# - remember to use back slashes on Windows and slashes on Linux / Unix / OSX
# - each line contains a regex that matches somewhere in the full path (case insensitive)
#   e.g.:
#   Regex: \\System32\\
#   Matches C:\Windows\System32\cmd.exe
#
#   Regex: /var/log/[^/]+\.log
#   Matches: /var/log/test.log
#   Not Matches: /var/log/test.gz
#

# Useful examples
\\Ntfrs\\
\\Ntds\\
\\EDB[^\.]+\.log
Sysvol\\Staging\\Nntfrs_cmp
\\System Volume Information\\DFSR

Screenshots

Loki Scan

Screen

Regin Matches

Screen

Regin False Positives

Screen

Hash based IOCs

Screen

File Name based IOCs

Screen

Generated log file

Screen

Contact

LOKI scanner on our company homepage https://www.nextron-systems.com/loki/

Twitter @cyb3rOps @thor_scanner

If you are interested in a corporate solution for APT scanning, check out Loki's big brother THOR.

Compile the Scanner

Download PyInstaller, switch to the pyinstaller program directory and execute:

python ./pyinstaller.py -F C:\path\to\loki.py

This will create a loki.exe in the subfolder ./loki/dist.

Pro Tip (optional)

To include the msvcr100.dll to improve the target os compatibility change the line in the file ./loki/loki.spec that contains a.binaries, to the following:

a.binaries + [('msvcr100.dll', 'C:\Windows\System32\msvcr100.dll', 'BINARY')],

Use LOKI on Mac OS X (Or later) or Linux

  • Install libraries sudo pip install colorama yara-python psutil rfc5424-logging-handler netaddr
  • Run loki-upgrader.py sudo python loki-upgrader.py
  • Run loki sudo python loki.py

Yara sources

Download Yara sources from here

Antivirus - False Positives

The compiled scanner may be detected by antivirus engines. This is caused by the fact that the scanner is a compiled python script that implement some file system and process scanning features that are also used in compiled malware code.

If you don't trust the compiled executable, please compile it yourself.

License

Loki - Simple IOC Scanner Copyright (c) 2015 Florian Roth

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/