Releases: Neo23x0/Loki
LOKI version 0.21.0
- Separate
loki-upgrader.exe(loki-upgrader.py) that allows upgrading theloki.exeprogram executable - Preparations for 3rd generation file name signature format
LOKI Upgrader
The upgrader allows upgrading program and signature files. The --update parameter in previous versions did only update the signature-base subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the loki.exe program executable.
You can use the upgrader separately or start LOKI with the --update parameter. Using the --updateparameter will spawn a new loki-upgrader process and exit the loki process in order to update the program files.
usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
[--debug]
Loki - Upgrader
optional arguments:
-h, --help show this help message and exit
-l log-file Log file
--sigsonly Update the signatures only
--progonly Update the program files only
--nolog Don't write a local log file
--debug Debug output
3rd Generation File Name Signature Format
The new format extends the existing format by a third column that allows to include a regular expression to filter the matches.
This allows to define signatures for suspicious file locations, e.g.:
Regex;Score;False Positive Regex
\\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe
(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware)
The first signature matches on ncat.exe files that are NOT located in bin or sbin folders. The second one matches on all MsMpEng.exe executables found outside the three folders defined in the false positive expression.
This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's post on threat hunting and his AppCompatProcessor Repo for interesting ideas on suspicious executable file locations.
The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI.
LOKI version 0.20.2
- Increased the default for the maximum file size
LOKI version 0.20.1
- Bugfix: Unicode decode error in rootkit check
- Pushed source code changes from the 0.20.0 release
LOKI version 0.20.0
- Double Pulsar Rootkit Check provided by @jukelennings @countercept https://github.com/countercept/doublepulsar-detection-script
- Double Pulsar XOR key calculation provided by @firefart
- Bugfix: Result messages noting suspicious indicators caused by outdated/non-existent signatures
LOKI version 0.19.1
- Shows new signature files during the update process
[INFO] Retrieving signature database from git repo https://github.com/Neo23x0/signature-base
[INFO] Downloading https://github.com/Neo23x0/signature-base/archive/master.zip ...
[INFO] New signature file: apt_servantshell.yar
[INFO] Update successful
LOKI version 0.19.0
- Fixed the Update / Signature Download Routine
LOKI version 0.18.2
Bugfix Release
- Fixes Unicode bugs in command line output
LOKI version 0.18.1
New 0.18.1
- now provided as release package with automatic signature-base initialisation
- Removed 'loki.exe' from source repository
From 0.18.0
- Consolidated file scan message lines
- New combined score on file scan events (only shows one event per
matched file - New result line with total of alerts, warnings and notices
- File modification time stamps MAC
- File size
- set custom message type levels (e.g. -a 300 to generate an alert with
score 300 or higher) - Log lines in file output contain the message type (e.g. LOKI:
Warning: ...)
LOKI version 0.17.0
- Massively improved speed
LOKI version 0.14.0
- first release
- stable version
DISCLAIMER
Use on your own risk in production environments!
There are some files and directories that should not be read by scanners like LOKI. Those folders and files receive a special treatment by THOR and are not automatically excluded or skipped by LOKI.
Please see the following links for more details:
Windows
https://support.microsoft.com/en-us/kb/822158
Citrix
https://www.citrix.com/blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/
Other 3rd party products
https://esupport.trendmicro.com/solution/en-US/1059795.aspx