How to conduct incident response using LOKI scanner to detect malicious activity

LOKI is a IR tool created by Florian Roth. This tool will help you during the incident response situation when you are tasked to find malicious activity on the compromised system. After download the repo for linux, you will get loki.py tool there.

Download for Linux:

GitHub - Neo23x0/Loki: Loki - Simple IOC and YARA Scanner

Download for windows:

Releases · Neo23x0/Loki

First run the loki-upgrader.exe so that the tool can be ready with the latest signatures. Then use loki.exe on the target system that to be scanned.

loki-upgrader.exe
loki.exe -p C:\temp

It’s an open-source tool. In the backend it use yara rules to find malicious things on the system. Thats why loki requires yara and python to be installed on the linux system. For windows, it comes with pre-bundled executable.

Python comes by default with most of the linux distribution. Still I am showing you the commands:

Centos:

Centos usually comes with python3 pre-installed. 
Check it is installed or not using command python3 --version
If not then:
sudo yum install python3 python3-devel -y

Python 2 is no longer available in the default CentOS repositories. You can install Python 2 using the "EPEL" (Extra Packages for Enterprise Linux) repository. First, install EPEL if it's not already installed:
sudo yum install epel-release
sudo yum install python2

Ubuntu:

Most recent version of ubuntu, python3 comes pre-installed. 
Check it is installed or not using command python3 --version
If not then:
sudo apt update
sudo apt install python3

Python 2 is also not available in the default Ubuntu repositories for recent versions (e.g., 20.04 and later) because it has reached end-of-life. However, for older versions, you can install Python 2 using apt:
sudo apt update
sudo apt install python2

Now come to the main tool.

Loki install:

Install yara in debian based system:
sudo apt update
sudo apt install yara -y  (I have also installed yara before installing loki on my debian based system, but you can skip this part)

Install yara in centos:
sudo yum install epel-release -y
sudo yum update
sudo yum install yara yara-python -y

Install loki on centos/debian based system:
git clone https://github.com/Neo23x0/Loki.git

cd Loki

pip3 install -r requirements.txt

python loki.py -h  (to check what options are available)
or
python3 loki.py -h

python loki.py --update   (update the signature first)

Another way to install Loki on mac OS X or later and linux. Showing for centos. Debian based is almost same. Instead of yum you just need to use apt.

sudo yum install python3 -y (python3-pip will be automatically installed)
sudo yum install python3-devel -y

sudo pip3 install colorama yara-python psutil rfc5424-logging-handler netaddr

git clone https://github.com/Neo23x0/Loki.git

cd Loki/

sudo python3 loki-upgrader.py

sudo python3 loki.py

We found that Loki is not successfully installed on centos 7. May be there is some conflict with yara-python module. But it works in ubuntu well.

Completion of update signature

python loki.py -p <path to the malicious file>

image taken: tryhackme room

In the file1 directory there are some suspicious files present. We are using loki to scan those.

Thanks. Please Subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos