The small open-source tool Loki can be used to scan servers and computers in small networks for traces of attacks and signs of threats. These operations are also known as Indicators of Compromise (IoC).
Open Source Scanner Checks Networks for Traces of Attacks
The small open-source tool Loki is called an IoC scanner. It is available on GitHub for Windows, Linux, and macOS. No installation is necessary for the tool, it can be started directly in the Windows command prompt or in the Linux and macOS terminal. Loki is the open-source version of the much more extensive commercial product THOR from Nextron Systems.
Caution: When starting the software, many virus scanners report a Trojan attack. Unfortunately, this has been known for several versions but is considered a false positive, i.e. a faulty detection. You can read more about this at Loki Issues.
Loki uses Yara rules
Loki comes with numerous rules that can be used to scan processes and files in Windows, Linux, and macOS. Those familiar with Yara can define their own rules. However, the default rules in Loki already detect many attackers and hacker tools. Especially on web servers, the use can therefore be useful. Loki scans for different methods:
- Detecting known attackers by file name and path.
- Yara rule check
- Hash check with known hash values of malware
- Connection endpoints are checked
- Loki can also perform advanced checks. This includes, for example, checking processes for suspicious actions.
Scanning computers with Loki
To scan computers with Loki, for example, Windows, it is sufficient to download and unpack the ZIP file. Already when unpacking and later updating the signature files with “loki-upgrader.exe”, many virus scanners, including Windows Defender, bring a Trojan warning. The upgrader also updates loki.exe so that the latest version is always available. All actions performed by Loki-Upgrader are displayed in the file “loki-upgrade.log”. This is stored in the same directory as Loki itself.
On Linux and macOS, the upgrade can be done with “loki-upgrader.py”. However, this is a false positive, as can be read on the issue page of the project.
After the update with “loki-upgrader.exe” the scan operations can be started with “loki.exe”. Here it can be useful to define an exception for the virus scanner. Loki is a small tool in the command line. It makes sense to open a command line and start the scan by entering “loki.exe”. If Loki finds suspicious actions, the tool displays the corresponding scan process in yellow in the command line.
Understanding and optimizing scans with Loki
With “loki /?” the tool displays all options that can be used in the command line or terminal. With the option “-h” an extended help of the individual options is displayed.
For example, if Loki is to scan a specific path in addition to the running processes, the tool is started with “loki -p <path>”. The path will be scanned at the end, after Loki has scanned all running processes.
If only the running processes are to be scanned, but not a specific path with its files, Loki can also be started with “loki -nofilescan”. This is useful, for example, if the scanning process for files takes too long, or if you only want to check the running processes of the malware. Conversely, “-noprocscan” can be used to bypass the process scan. This gives administrators the ability to run Loki as the desired scan requires.
On the GitHub page, the developer also explains how the program can be compiled from the Loki and Yara source codes and how custom Yara rules can also be created in the process. This requires additional tools, but they are linked on the page.
Analyze scan results
Red lines represent found malware or hacker attacks. In this case, a more detailed check should be made to determine which attack is involved. It may be useful to check the found process and its executable file with an external virus scanner and search the Internet for the name of the process and the file. A scan at Virustotal.com can also be useful.
Loki does this by displaying in the window the name of the process executable file, the owner of the process, the PID of the process, and where the executable file is stored.
After the scan, Loki displays a summary. The individual information found can be seen in the window. Warnings and errors should be checked more deeply in any case.
All information is also stored in a log file. This also contains the computer name that was checked. This makes it possible to save log files on the network, for example, to compare the results on several servers.
