9.1 Using LOKI
As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you've encountered something unknown, that your security stack of tools can't/didn't detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics).
As mentioned before, Loki already has a set of Yara rules that we can benefit from and start scanning for evil on the endpoint straightaway.
Navigate to the Loki directory. Loki is located in the tools
.
Run python loki.py -h
to see what options are available.
If you are running Loki on your own system, the first command you should run is --update
. This will add the signature-base
****directory, which Loki uses to scan for known evil. This command was already executed within the attached VM.
Navigate to the yara
directory. Feel free to inspect the different Yara files used by Loki to get an idea of what these rules will hunt for.
To run Loki, you can use the following command (note that I am calling Loki from within the file 1 directory)
Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files
directory. Use Loki to answer the questions below.
Answer the questions below
Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
How to: Instead of going to the file's location, you can just stay in the Loki directory, use the following command python loki.py -p ~/suspicious-files/file1 , the -p indicates the path to the file. Hit enter and Loki should be running now, wait till it is done and you should see in yellow at the bottom of RESULTS. The answer is in here.
Answer: suspicious
What Yara rule did it match on?
How to: If you look in the section above where you found the first answer you will see REASON_1 , if you look to the right you will see the word MATCH, the answer is right after this.
Answer: webshell_metaslsoft
What does Loki classify this file as?
How to: This can be found right underneath the answer to the previous question.
Answer: Web Shell
Hint: Check description
Based on the output, what string within the Yara rule did it match on?
How to: This can be found underneath the answer to the previous question, string is key.
Answer: Str1
What is the name and version of this hack tool?
How to: This one was really difficult for me to find but once I did I kicked myself. Go down till you first see the Warning label. From there go to the FIRST_BYTES , and go all the way to the right. The answer is after the *.
Answer: b374k 2.2
Hint: Check first_bytes
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
How to: If you go up to the info section on your Loki scan you will see Processing YARA rules at once, then it has a file path after it. Follow this path to the location of the YARA file. Then you need to find the file that deals with webshells, if you need help look at the hint (I had too), then nano it. Now that your in nano press F6, this will bring up the search in nano and copy the answer from question two and paste it in here. You should be brought right to it. Now just scroll down and count how many strings there are, and you will have your answer.
Answer: 1
Hint: yara/thor-webshells.yar
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
How to: Run this scan the same way you did for file 1, python loki.py -p ~/suspicious-files/file2 . The RESULTS will have your answer.
Answer: benign
Inspect file 2. What is the name and version of this web shell?
How to: To inspect file 2 run the command, nano /home/cmnatic/suspicious-files/file2/1ndex.php. At the top you will see the answer, just take shell out of it.
Answer: b374k 3.2.3
Hint: Read the comments in the file