Quick IOC Scan With Docker

Published: 2023-04-28. Last Updated: 2023-04-28 10:27:38 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities. 

Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?

Here is a simple Dockerfile to build a container:

FROM ubuntu:latest
RUN apt update
RUN apt -y install git
RUN apt -y install python3-pip libssl-dev
WORKDIR /opt
RUN git clone https://github.com/Neo23x0/Loki.git
WORKDIR /opt/Loki
RUN chmod a+x loki.py
RUN pip install -r requirements.txt
RUN ln -s /usr/bin/python3 /usr/bin/python
ENTRYPOINT [ "/usr/bin/python", "/opt/Loki/loki.py" ]
CMD ["--help"]

Now you can scan any directory:

remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it -v $(PWD):/evidences loki -p /evidences --noprocscan

Just give no arguments to get some help:

remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it loki
usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost] [-t remote-syslog-port] [-a alert-level] [-w warning-level] [-n notice-level] [--allhds] [--alldrives]
               [--printall] [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks] [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator] [--dontwait] [--intense] [--csv]
               [--onlyrelevant] [--nolog] [--update] [--debug] [--maxworkingset MAXWORKINGSET] [--syslogtcp] [--logfolder log-folder] [--nopesieve] [--pesieveshellc] [--python PYTHON]
               [--nolisten] [--excludeprocess EXCLUDEPROCESS] [--force] [--version]

Loki - Simple IOC Scanner

options:
  -h, --help            show this help message and exit
  -p path               Path to scan
  -s kilobyte           Maximum file size to check in KB (default 5000 KB)
  -l log-file           Log file
  -r remote-loghost     Remote syslog system
  -t remote-syslog-port
                        Remote syslog port
  -a alert-level        Alert score
  -w warning-level      Warning score
  -n notice-level       Notice score
  --allhds              Scan all local hard drives (Windows only)
  --alldrives           Scan all drives (including network drives and removable media)
  --printall            Print all files that are scanned
  --allreasons          Print all reasons that caused the score
  --noprocscan          Skip the process scan
  --nofilescan          Skip the file scan
  --vulnchecks          Run the vulnerability checks
  --nolevcheck          Skip the Levenshtein distance check
  --scriptanalysis      Statistical analysis for scripts to detect obfuscated code (beta)
  --rootkit             Skip the rootkit check
  --noindicator         Do not show a progress indicator
  --dontwait            Do not wait on exit
  --intense             Intense scan mode (also scan unknown file types and all extensions)
  --csv                 Write CSV log format to STDOUT (machine processing)
  --onlyrelevant        Only print warnings or alerts
  --nolog               Don't write a local log file
  --update              Update the signatures from the "signature-base" sub repository
  --debug               Debug output
  --maxworkingset MAXWORKINGSET
                        Maximum working set size of processes to scan (in MB, default 100 MB)
  --syslogtcp           Use TCP instead of UDP for syslog logging
  --logfolder log-folder
                        Folder to use for logging when log file is not specified
  --nopesieve           Do not perform pe-sieve scans
  --pesieveshellc       Perform pe-sieve shellcode scan
  --python PYTHON       Override default python path
  --nolisten            Dot not show listening connections
  --excludeprocess EXCLUDEPROCESS
                        Specify an executable name to exclude from scans, can be used multiple times
  --force               Force the scan on a certain folder (even if excluded with hard exclude in LOKI's code
  --version             Shows welcome text and version of loki, then exit

Because we run Ubuntu in the container, you can, of course, mount disk images from loop devices directly in the container and scan them:

remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it --privileged --entrypoint bash loki
root@d0256e7ad441:/opt/Loki# mount -o ro,loop,offset=1048576 /dev/loop1 /mnt
root@d0256e7ad441:/opt/Loki# python ./loki.py -p /mnt --noprocscan

This docker container works perfectly on my Macbook. No need to boot a Windows VM to scan a disk image...

[1] https://github.com/Neo23x0/Loki

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
ISC Stormcast For Friday, April 28th, 2023 https://isc.sans.edu/podcastdetail.html?id=8474

Comments


Diary Archives