Quick IOC Scan With Docker
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities.
Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?
Here is a simple Dockerfile to build a container:
FROM ubuntu:latest RUN apt update RUN apt -y install git RUN apt -y install python3-pip libssl-dev WORKDIR /opt RUN git clone https://github.com/Neo23x0/Loki.git WORKDIR /opt/Loki RUN chmod a+x loki.py RUN pip install -r requirements.txt RUN ln -s /usr/bin/python3 /usr/bin/python ENTRYPOINT [ "/usr/bin/python", "/opt/Loki/loki.py" ] CMD ["--help"]
Now you can scan any directory:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it -v $(PWD):/evidences loki -p /evidences --noprocscan
Just give no arguments to get some help:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it loki usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost] [-t remote-syslog-port] [-a alert-level] [-w warning-level] [-n notice-level] [--allhds] [--alldrives] [--printall] [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks] [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator] [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog] [--update] [--debug] [--maxworkingset MAXWORKINGSET] [--syslogtcp] [--logfolder log-folder] [--nopesieve] [--pesieveshellc] [--python PYTHON] [--nolisten] [--excludeprocess EXCLUDEPROCESS] [--force] [--version] Loki - Simple IOC Scanner options: -h, --help show this help message and exit -p path Path to scan -s kilobyte Maximum file size to check in KB (default 5000 KB) -l log-file Log file -r remote-loghost Remote syslog system -t remote-syslog-port Remote syslog port -a alert-level Alert score -w warning-level Warning score -n notice-level Notice score --allhds Scan all local hard drives (Windows only) --alldrives Scan all drives (including network drives and removable media) --printall Print all files that are scanned --allreasons Print all reasons that caused the score --noprocscan Skip the process scan --nofilescan Skip the file scan --vulnchecks Run the vulnerability checks --nolevcheck Skip the Levenshtein distance check --scriptanalysis Statistical analysis for scripts to detect obfuscated code (beta) --rootkit Skip the rootkit check --noindicator Do not show a progress indicator --dontwait Do not wait on exit --intense Intense scan mode (also scan unknown file types and all extensions) --csv Write CSV log format to STDOUT (machine processing) --onlyrelevant Only print warnings or alerts --nolog Don't write a local log file --update Update the signatures from the "signature-base" sub repository --debug Debug output --maxworkingset MAXWORKINGSET Maximum working set size of processes to scan (in MB, default 100 MB) --syslogtcp Use TCP instead of UDP for syslog logging --logfolder log-folder Folder to use for logging when log file is not specified --nopesieve Do not perform pe-sieve scans --pesieveshellc Perform pe-sieve shellcode scan --python PYTHON Override default python path --nolisten Dot not show listening connections --excludeprocess EXCLUDEPROCESS Specify an executable name to exclude from scans, can be used multiple times --force Force the scan on a certain folder (even if excluded with hard exclude in LOKI's code --version Shows welcome text and version of loki, then exit
Because we run Ubuntu in the container, you can, of course, mount disk images from loop devices directly in the container and scan them:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it --privileged --entrypoint bash loki root@d0256e7ad441:/opt/Loki# mount -o ro,loop,offset=1048576 /dev/loop1 /mnt root@d0256e7ad441:/opt/Loki# python ./loki.py -p /mnt --noprocscan
This docker container works perfectly on my Macbook. No need to boot a Windows VM to scan a disk image...
[1] https://github.com/Neo23x0/Loki
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments