📔
Defense
  • Defense
  • Getting Started
    • Introductory Networking
      • Introduction
      • The OSI Model: An Overview
        • Answers
      • Encapsulation
        • Answers
      • The TCP/IP Model
        • Answers
      • Wireshark
        • Answers
      • Networking Tools - Ping
        • Answers
      • Networking Tools - Traceroute
        • Answers
      • Networking Tools - WHOIS
        • Answers
      • Networking Tools Dig
        • Answers
      • Further Reading
    • Network Services
      • Understanding SMB
        • Answers
      • Enumerating SMB
        • Answers
        • Untitled
      • Exploiting SMB
        • Answers
        • Untitled
      • Understanding Telnet
        • Answers
      • Enumerating Telnet
        • Answers
        • Untitled
      • Exploiting Telnet
        • Answers
        • Untitled
      • Understanding FTP
        • Answers
      • Enumerating FTP
        • Answers
        • Untitled
      • Exploiting FTP
        • Answers
        • Untitled
      • Expanding Your Knowledge
    • Network Services 2
      • Understanding NFS
        • Answers
      • Enumerating NFS
        • Answers
        • Untitled
      • Exploiting NFS
        • Answers
        • Untitled
      • Understanding SMTP
        • Answers
      • Enumerating SMTP
        • Answers
        • Untitled
      • Exploiting SMTP
        • Answers
        • Untitled
      • Understanding MYSQL
        • Answers
      • Enumerating MYSQL
        • Answers
        • Untitled
      • Exploiting MYSQL
        • Answers
        • Untitled
      • Further Learning
    • Wireshark 101
      • Introduction
      • Installation
      • Wireshark Overview
      • Collection Methods
      • Filtering Packets
      • Packet Dissection
      • ARP Traffic
        • Answers
      • ICMP Overview
        • Answers
      • TCP Traffic
      • DNS Traffic
        • Answers
      • HTTP Traffic
        • Answers
      • HTTPS Traffic
        • Answers
      • Analyzing Exploit PCAPS
      • Conclusion
    • !Intro to Windows
    • Active Directory Basics
      • Introduction
      • Physical Active Directory
        • Answers
      • The Forest
        • Answers
      • Users + Groups
        • Answers
      • Trusts + Policies
        • Answers
      • Active Directory Domain Services + Authentication
        • Answers
      • AD in the Cloud
        • Answers
      • Hands-On Lab
        • Answers
        • Untitled
      • Conclusion
    • !Windows Core Processes
    • !SysInternals
  • Threat and Vulnerability Management
    • !Nessus
      • Introduction
      • Installation
      • !Navigation and Scans
        • Answers
      • !Scanning
      • !Scanning a Web Application
    • MITRE
      • Introduction to Mitre
      • Basic Terminology
      • ATT&CK Framework
        • Answers
      • CAR Knowledge Base
        • Answers
      • Shield Active Defense
        • Answers
      • ATT&CK EmulationPlans
        • Answers
      • ATT&CK® and Threat Intelligence
        • Answers
      • Conclusion
    • Yara
      • Introduction
      • What is Yara?
        • Answers
      • Installing Yara (Ubuntu/Debian & Windows)
      • Deploy
      • Introduction to Yara Rules
      • Expanding on Yara Rules
      • Yara Modules
      • Other Tools and Yara
      • Using LOKI and its Yara rule set
        • Answers
        • Untitled
      • Creating Yara rules with yarGen
        • Answers
        • Untitled
      • Valhalla
        • Answers
      • Conclusion
    • Intro to ISAC
      • Introduction
      • Basic Terminology
      • What is Threat Intelligence?
      • What are ISACs?
      • Using Threat Connect to create a Threat Intel dashboard
      • Introduction to AlienVault OTX
      • Using OTX to gather Threat Intelligence
      • Creating IOCs
      • Investigating IOCs
        • Answers
    • Zero Logon
      • The Zero Day Angle
      • Impacket Installation
      • The Proof of Concept
        • Answers
      • Lab it up!
        • Answers
        • Untitled
    • !OpenVAS
    • !MISP
  • Security Operations and Monitoring
    • Splunk
    • Windows Event Logs
    • Sysmon
    • Suricata
    • Osquery
    • Graylog
    • OpenEDR
  • Threat Emulation
    • Attacktive Directory
    • Attacking Kerberos
    • Atomic Red Team
  • Incident Response and Forensics
    • Volatility
    • Forensics
    • Investigating Windows
    • Windows Forensics
    • Redline
    • Autopsy
  • Malware Analysis and Reverse Engineering
    • History of Malware
    • Malware Introductory
    • Researching
    • Strings
    • Basic Malware RE
    • REMnux: The Redux
    • Reversing .NET Apps
Powered by GitBook
On this page

Was this helpful?

  1. Threat and Vulnerability Management
  2. Yara

Using LOKI and its Yara rule set

PreviousOther Tools and YaraNextAnswers

Last updated 4 years ago

Was this helpful?

Password: infected

9.1 Using LOKI As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you've encountered something unknown, that your security stack of tools can't/didn't detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics). As mentioned before, Loki already has a set of Yara rules that we can benefit from and start scanning for evil on the endpoint straightaway. Navigate to the Loki directory. Loki is located in the tools. Run python loki.py -h to see what options are available. If you are running Loki on your own system, the first command you should run is --update. This will add the signature-base directory, which Loki uses to scan for known evil. This command was already executed within the attached VM. Navigate to the yara directory. Feel free to inspect the different Yara files used by Loki to get an idea of what these rules will hunt for. To run Loki, you can use the following command (note that I am calling Loki from within the file 1 directory) Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files directory. Use Loki to answer the questions below.

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

What Yara rule did it match on?

What does Loki classify this file as?

Based on the output, what string within the Yara rule did it match on?

What is the name and version of this hack tool?

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Inspect file 2. What is the name and version of this web shell?

97KB
Malware.7z
Malware