Loki v0.23 released – Simple IOC and Incident Response Scanner

Loki – Simple IOC Scanner

Scanner for Simple Indicators of Compromise

Detection is based on four detection methods:

  1. File Name IOC
    Regex match on full file path/name
  2. Yara Rule Check
    Yara signature match on file data and process memory
  3. Hash check
    Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
  4. C2 Back Connect Check
    Compares process connection endpoints with C2 IOCs (new since version v.10)

Additional Checks:

  1. Regin filesystem check (via –reginfs)
  2. Process anomaly check (based on Sysforensics)
  3. SWF decompressed scan (new since version v0.8)
  4. SAM dump check
  5. DoublePulsar check – tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp
  6. PE-Sieve process check

The Windows binary is compiled with PyInstaller 2.1 and should run as an x86 application on both x86 and x64 based systems.

Changelog v0.30

Changes due to pull requests by @s3c

  • Added –syslogtcp, allowing TCP syslog servers, was easier with our Splunk setup
  • Included pywin32, setuptools==19.2, and rfc5424-logging-handler in pip command, latter to enable rfc5424 compatible syslog logging
  • Fixed exception handler for #51 (not sure why this triggered for me since there is a check before this func is called in init, might be because subfolder didn’t exist for some reason)
  • Added date and time to default filename
  • Added ability to specify log directory independant of filename, which is useful for automation that pushes logs to a fileshare (the new default filename which contains the hostname and time is used)
  • Added OS path conversion for portability, needed for parsing data within SOAR platform as well as running loki from a webdav share (so we don’t have to store any files on the host)
  • Enabled pe-sieve shellcode search, nice extra check
  • Added some argument sanity checking
  • Added rfc5424logging compatible syslog logging (splunk parsing with linux_messages_syslog)
  • Made minor changes to logging output to allow Splunk to easily parse syslog messages (just removed a colon)
  • Renamed command line flag –printAll to lowercase, to match format of others
  • Updated build script for python x64 compatibility
  • Added process name whitelist, and switch to disable pesieve, since some EDR solutions get really upset when you touch them
  • Added switch to ignore network comms checks

Change by me

  • Upgrade to PE-Sieve version 0.2.2


How-To Run LOKI and Analyse the Reports


  • Download the latest LOKI version from the releases section
  • Run it once to retrieve the latest signature base repository
  • Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
  • Right-click on loki.exe and select “Run as Administrator” or open a command line “cmd.exe” as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)


  • The resulting report will show a GREEN, YELLOW or RED result line.
  • Please analyze the findings yourself by:
    1. uploading non-confidential samples to Virustotal.com
    2. Search the web for the filename
    3. Search the web for keywords from the rule name (e.g. EQUATIONGroupMalware_1 > search for “Equation Group”)
    4. Search the web for the MD5 hash of the sample
    5. Search in my customer APT search engine for file names or identifiers
  • Please report back false positives via the Issues section (mention the false positive indicator like a hash and/or filename and the rule name that triggered)


Since version 0.21.0 LOKI includes a separate updater tool named loki-upgrader.exe or loki-upgrader.py.

usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]

Loki - Upgrader

optional arguments:
  -h, --help   show this help message and exit
  -l log-file  Log file
  --sigsonly   Update the signatures only
  --progonly   Update the program files only
  --nolog      Don't write a local log file
  --debug      Debug output

It allows updating the compiled loki.exe for Windows and the signature-based sources.

When running loki.exe –update it will create a new upgrade process and exits LOKI in order to replace the loki.exe with the newer one, which would be locked otherwise.


usage: loki.exe [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
                [-a alert-level] [-w warning-level] [-n notice-level]
                [--printAll] [--allreasons] [--noprocscan] [--nofilescan]
                [--scriptanalysis] [--rootkit] [--noindicator] [--reginfs]
                [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
                [--update] [--debug]

Loki - Simple IOC Scanner

optional arguments:
  -h, --help         show this help message and exit
  -p path            Path to scan
  -s kilobyte        Maximum file size to check in KB (default 5000 KB)
  -l log-file        Log file
  -r remote-loghost  Remote syslog system
  -a alert-level     Alert score
  -w warning-level   Warning score
  -n notice-level    Notice score
  --printAll         Print all files that are scanned
  --allreasons       Print all reasons that caused the score
  --noprocscan       Skip the process scan
  --nofilescan       Skip the file scan
  --scriptanalysis   Activate script analysis (beta)
  --rootkit          Skip the rootkit check
  --noindicator      Do not show a progress indicator
  --reginfs          Do check for Regin virtual file system
  --dontwait         Do not wait on exit
  --intense          Intense scan mode (also scan unknown file types and all
  --csv              Write CSV log format to STDOUT (machine prcoessing)
  --onlyrelevant     Only print warnings or alerts
  --nolog            Don't write a local log file
  --update           Update the signatures from the "signature-base" sub
  --debug            Debug output


Command Line Scan Output

Hash-based IOCs

File Name based IOCs

Generated log file

Copyright (c) 2015 Florian Roth

Source: https://github.com/Neo23x0/

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services