github Neo23x0/Loki v0.21.0
LOKI version 0.21.0
on GitHub

latest releases: v0.51.0, v0.50.1, v0.50.0...
6 years ago
  • Separate loki-upgrader.exe (loki-upgrader.py) that allows upgrading the loki.exe program executable
  • Preparations for 3rd generation file name signature format

LOKI Upgrader

The upgrader allows upgrading program and signature files. The --update parameter in previous versions did only update the signature-base subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the loki.exe program executable.

You can use the upgrader separately or start LOKI with the --update parameter. Using the --updateparameter will spawn a new loki-upgrader process and exit the loki process in order to update the program files. 

usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
                        [--debug]

Loki - Upgrader

optional arguments:
  -h, --help   show this help message and exit
  -l log-file  Log file
  --sigsonly   Update the signatures only
  --progonly   Update the program files only
  --nolog      Don't write a local log file
  --debug      Debug output

3rd Generation File Name Signature Format

The new format extends the existing format by a third column that allows to include a regular expression to filter the matches.

This allows to define signatures for suspicious file locations, e.g.: 

Regex;Score;False Positive Regex

\\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe
(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware)

The first signature matches on ncat.exe files that are NOT located in bin or sbin folders. The second one matches on all MsMpEng.exe executables found outside the three folders defined in the false positive expression.

This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's post on threat hunting and his AppCompatProcessor Repo for interesting ideas on suspicious executable file locations.

The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI.

Check out latest releases or
releases around Neo23x0/Loki v0.21.0

Don't miss a new Loki release

NewReleases is sending notifications on new releases.

Get notifications