Quick IOC Scan With Docker
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities.
Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?
Here is a simple Dockerfile to build a container:
FROM ubuntu:latest RUN apt update RUN apt -y install git RUN apt -y install python3-pip libssl-dev WORKDIR /opt RUN git clone https://github.com/Neo23x0/Loki.git WORKDIR /opt/Loki RUN chmod a+x loki.py RUN pip install -r requirements.txt RUN ln -s /usr/bin/python3 /usr/bin/python ENTRYPOINT [ "/usr/bin/python", "/opt/Loki/loki.py" ] CMD ["--help"]
Now you can scan any directory:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it -v $(PWD):/evidences loki -p /evidences --noprocscan
Just give no arguments to get some help:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it loki usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost] [-t remote-syslog-port] [-a alert-level] [-w warning-level] [-n notice-level] [--allhds] [--alldrives] [--printall] [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks] [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator] [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog] [--update] [--debug] [--maxworkingset MAXWORKINGSET] [--syslogtcp] [--logfolder log-folder] [--nopesieve] [--pesieveshellc] [--python PYTHON] [--nolisten] [--excludeprocess EXCLUDEPROCESS] [--force] [--version] Loki - Simple IOC Scanner options: -h, --help show this help message and exit -p path Path to scan -s kilobyte Maximum file size to check in KB (default 5000 KB) -l log-file Log file -r remote-loghost Remote syslog system -t remote-syslog-port Remote syslog port -a alert-level Alert score -w warning-level Warning score -n notice-level Notice score --allhds Scan all local hard drives (Windows only) --alldrives Scan all drives (including network drives and removable media) --printall Print all files that are scanned --allreasons Print all reasons that caused the score --noprocscan Skip the process scan --nofilescan Skip the file scan --vulnchecks Run the vulnerability checks --nolevcheck Skip the Levenshtein distance check --scriptanalysis Statistical analysis for scripts to detect obfuscated code (beta) --rootkit Skip the rootkit check --noindicator Do not show a progress indicator --dontwait Do not wait on exit --intense Intense scan mode (also scan unknown file types and all extensions) --csv Write CSV log format to STDOUT (machine processing) --onlyrelevant Only print warnings or alerts --nolog Don't write a local log file --update Update the signatures from the "signature-base" sub repository --debug Debug output --maxworkingset MAXWORKINGSET Maximum working set size of processes to scan (in MB, default 100 MB) --syslogtcp Use TCP instead of UDP for syslog logging --logfolder log-folder Folder to use for logging when log file is not specified --nopesieve Do not perform pe-sieve scans --pesieveshellc Perform pe-sieve shellcode scan --python PYTHON Override default python path --nolisten Dot not show listening connections --excludeprocess EXCLUDEPROCESS Specify an executable name to exclude from scans, can be used multiple times --force Force the scan on a certain folder (even if excluded with hard exclude in LOKI's code --version Shows welcome text and version of loki, then exit
Because we run Ubuntu in the container, you can, of course, mount disk images from loop devices directly in the container and scan them:
remnux@remnux:/MalwareZoo/Evidences$ docker run --rm -it --privileged --entrypoint bash loki root@d0256e7ad441:/opt/Loki# mount -o ro,loop,offset=1048576 /dev/loop1 /mnt root@d0256e7ad441:/opt/Loki# python ./loki.py -p /mnt --noprocscan
This docker container works perfectly on my Macbook. No need to boot a Windows VM to scan a disk image...
[1] https://github.com/Neo23x0/Loki
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago