- Separate
loki-upgrader.exe
(loki-upgrader.py
) that allows upgrading theloki.exe
program executable - Preparations for 3rd generation file name signature format
LOKI Upgrader
The upgrader allows upgrading program and signature files. The --update
parameter in previous versions did only update the signature-base
subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the loki.exe
program executable.
You can use the upgrader separately or start LOKI with the --update
parameter. Using the --update
parameter will spawn a new loki-upgrader
process and exit the loki
process in order to update the program files.
usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
[--debug]
Loki - Upgrader
optional arguments:
-h, --help show this help message and exit
-l log-file Log file
--sigsonly Update the signatures only
--progonly Update the program files only
--nolog Don't write a local log file
--debug Debug output
3rd Generation File Name Signature Format
The new format extends the existing format by a third column that allows to include a regular expression to filter the matches.
This allows to define signatures for suspicious file locations, e.g.:
Regex;Score;False Positive Regex
\\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe
(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware)
The first signature matches on ncat.exe
files that are NOT located in bin
or sbin
folders. The second one matches on all MsMpEng.exe
executables found outside the three folders defined in the false positive expression.
This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's post on threat hunting and his AppCompatProcessor Repo for interesting ideas on suspicious executable file locations.
The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI.