http://open-source-security-software.net/project/Loki/releases.atom 2024-05-06T13:55:50.134412+00:00 python-feedgen Loki v0.14.0 2016-02-15T08:35:41+00:00 - first release - stable version DISCLAIMER Use on your own risk in production environments! There are some files and directories that should not be read by scanners like LOKI. Those folders and files receive a special treatment by THOR and are not automatically excluded or skipped by LOKI. Please see the following links for more details: Windows https://support.microsoft.com/en-us/kb/822158 Citrix https://www.citrix.com/blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/ Other 3rd party products https://esupport.trendmicro.com/solution/en-US/1059795.aspx 2016-02-15T08:35:41+00:00 Loki v0.17.0 2016-10-07T06:48:23+00:00 - Massively improved speed 2016-10-07T06:48:23+00:00 Loki v0.18.1 2016-12-10T10:11:50+00:00 New 0.18.1 - now provided as release package with automatic signature-base initialisation - Removed 'loki.exe' from source repository  From 0.18.0 - Consolidated file scan message lines - New combined score on file scan events (only shows one event per matched file - New result line with total of alerts, warnings and notices - File modification time stamps MAC - File size - set custom message type levels (e.g. -a 300 to generate an alert with score 300 or higher) - Log lines in file output contain the message type (e.g. LOKI: Warning: ...) 2016-12-10T10:11:50+00:00 Loki v0.18.2 2016-12-21T13:27:47+00:00 Bugfix Release - Fixes Unicode bugs in command line output 2016-12-21T13:27:47+00:00 Loki v0.19.0 2017-01-30T20:14:23+00:00 - Fixed the Update / Signature Download Routine 2017-01-30T20:14:23+00:00 Loki v0.19.1 2017-02-07T09:46:46+00:00 - Shows new signature files during the update process ``` [INFO] Retrieving signature database from git repo https://github.com/Neo23x0/signature-base [INFO] Downloading https://github.com/Neo23x0/signature-base/archive/master.zip ... [INFO] New signature file: apt_servantshell.yar [INFO] Update successful ``` 2017-02-07T09:46:46+00:00 Loki 0.20.0 2017-04-24T19:53:45+00:00 - Double Pulsar Rootkit Check provided by @jukelennings @countercept https://github.com/countercept/doublepulsar-detection-script - Double Pulsar XOR key calculation provided by @FireFart - Bugfix: Result messages noting suspicious indicators caused by outdated/non-existent signatures  2017-04-24T19:53:45+00:00 Loki 0.20.1 2017-04-25T14:21:46+00:00 - Bugfix: Unicode decode error in rootkit check - Pushed source code changes from the 0.20.0 release 2017-04-25T14:21:46+00:00 Loki 0.20.2 2017-05-13T17:17:15+00:00 - Increased the default for the maximum file size 2017-05-13T17:17:15+00:00 Loki v0.21.0 2017-06-12T18:03:13+00:00 - Separate `loki-upgrader.exe` (`loki-upgrader.py`) that allows upgrading the `loki.exe` program executable - Preparations for 3rd generation file name signature format # LOKI Upgrader The upgrader allows upgrading program and signature files. The `--update` parameter in previous versions did only update the `signature-base` subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the `loki.exe` program executable. You can use the upgrader separately or start LOKI with the `--update` parameter. Using the `--update`parameter will spawn a new `loki-upgrader` process and exit the `loki` process in order to update the program files. ``` usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog] [--debug] Loki - Upgrader optional arguments: -h, --help show this help message and exit -l log-file Log file --sigsonly Update the signatures only --progonly Update the program files only --nolog Don't write a local log file --debug Debug output ``` # 3rd Generation File Name Signature Format The new format extends the existing format by a third column that allows to include a regular expression to filter the matches. This allows to define signatures for suspicious file locations, e.g.: ``` Regex;Score;False Positive Regex \\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe (?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware) ``` The first signature matches on `ncat.exe` files that are NOT located in `bin` or `sbin` folders. The second one matches on all `MsMpEng.exe` executables found outside the three folders defined in the false positive expression. This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's [post on threat hunting](https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/) and his [AppCompatProcessor Repo](https://github.com/mbevilacqua/appcompatprocessor) for interesting ideas on suspicious executable file locations. The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI. 2017-06-12T18:03:13+00:00 Loki v0.22.0 2017-06-17T12:16:38+00:00 * Platform dependant line separator in log files (`\r\n` on Windows, `\n` on other platforms) * System name in default log file (e.g. `loki-WORKSTATION1.log`) * Bugfix: unicode characters in OSError messages during directory walk 2017-06-17T12:16:38+00:00 Loki v0.22.1 2017-07-04T10:29:27+00:00 - Making Double Pulsar rootkit check optional (`--rootkit`) due to issue with [Symantec Endpoint Protection](https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21331) 2017-07-04T10:29:27+00:00 Loki v0.23.0 2017-07-26T04:59:07+00:00 - Feature: Remote syslog logging feature (-r syslogserver) - Feature: Statistical script analysis to detect obfuscated code (--scriptanalysis) - Change: Reduced 'Warning' level score from 70 to 60 Send LOKI's logs to a remote syslog server (e.g. Splunk)   Script analysis (first POC; optional)   2017-07-26T04:59:07+00:00 Loki v0.23.1 2017-07-27T15:42:23+00:00 - Bugfix: Removed predefined string excludes 2017-07-27T15:42:23+00:00 Loki 0.23.2 2017-07-30T09:56:19+00:00 - Bugfix in `filename` parameter that is used in YARA matching 2017-07-30T09:56:19+00:00 Loki v0.23.3 2017-08-01T15:52:23+00:00 - Bugfix: Unicode filename passed to YARA matching as external variable 2017-08-01T15:52:23+00:00 Loki v0.24.0 2017-08-15T10:15:05+00:00 - Integration of [IceWater's public YARA signatures](https://github.com/SupportIntelligence/Icewater) to improve the coverage of common malware families - Showing 'references' in YARA rule matches    2017-08-15T10:15:05+00:00 Loki v0.24.1 2017-08-15T19:15:27+00:00 - Upgraded YARA from 3.5.0 to 3.6.2 The upgrade provides full support for PE module features used in LOKI's 'signature-base'. Issues: with "pe.imphash" 2017-08-15T19:15:27+00:00 Loki v0.24.2 2017-10-11T17:23:23+00:00 - Disabled IceWater YARA rule download until yara-python supports `hash.md5()` again (feature is missing in yara-python-3.6.3) 2017-10-11T17:23:23+00:00 Loki v0.24.3 2017-11-16T22:21:21+00:00 - Various bugfixes - Python3 compatibility 2017-11-16T22:21:21+00:00 Loki v0.25.0 2017-11-30T19:09:40+00:00 - Support for encrypted private YARA rules (only available in [custom build](https://github.com/Neo23x0/Loki#package-loki-with-a-private-rule-set)) - Build with PyInstaller 3.3 - Build scripts and specs - Bugfix: Python3 support refactoring broke a loki-upgrader.py section 2017-11-30T19:09:40+00:00 Loki v0.26.0 2018-01-01T20:59:56+00:00 - [PE-Sieve](https://github.com/hasherezade/pe-sieve) integration - for more info see @hasherezade's [tool page](https://hshrzd.wordpress.com/pe-sieve/) and [blog post](https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/) on process anomalies   2018-01-01T20:59:56+00:00 Loki v0.26.1 2018-02-13T11:18:27+00:00 - New hash IOC whitelist - Better hostname evaluation on Linux / OSX - Code refactoring - Better messages 2018-02-13T11:18:27+00:00 Loki v0.26.2 2018-02-19T13:53:33+00:00 - Bugfix: Removed legacy code for old filename IOC format that caused problems with newest filename IOC format (many false positives with negative score values in "description" and a score of "60") 2018-02-19T13:53:33+00:00 Loki v0.27.0 2018-03-17T09:00:03+00:00 - Log format of TEXT and SYSLOG output changed and now includes the reporting module - Bugfix: Don't run PESieve on Windows XP # Log Format Changes From: ``` LOKI: [Level]: [Message] ``` To: ``` LOKI: [Level]: MODULE: [Module] MESSAGE: [Message] ```  # Splunk App & Add-on The changes to the log format allow you to use the THOR Splunk App and Addon for your LOKI log file analysis THOR App https://splunkbase.splunk.com/app/3717/ THOR Addon https://splunkbase.splunk.com/app/3718/  Make sure to: 1. Select the sourcetype "thor" for your inputs  2. Set the index to be "searched by default" if you create a new index  IMPORTANT: I will not support every dashboard but the App helps to you search and filter the LOKI results based on fields. The most important dashboard named "Universal Dashboard" should work. If you want to fix or improve other dashboard views, please send me your improvements. All this work (LOKI, the signatures and the Apps) are offered for free and most of the work is done in my spare time on weekends. Please consider this before reporting bugs in the dashboards that could be fixed in 2 minutes of your own time. If you want Enterprise grade tools and support, please visit our website and ask for a trial https://www.nextron-systems.com of such tools. 2018-03-17T09:00:03+00:00 Loki v0.27.1 2018-04-10T21:50:42+00:00 - Bugfix in process memory scan (thx to Didier) 2018-04-10T21:50:42+00:00 Loki v0.27.2 2018-04-12T22:38:37+00:00 - Upgrade to [PESieve v0.0.9.9.9](https://github.com/hasherezade/pe-sieve/releases/tag/v0.0.9.9.9) 2018-04-12T22:38:37+00:00 Loki v0.27.3 2018-04-12T22:51:59+00:00 - Added support for PESieve's "implanted" process detection 2018-04-12T22:51:59+00:00 Loki v0.27.4 2018-04-13T23:04:07+00:00 - Using the new JSON output of [PE-Sieve](https://github.com/hasherezade/pe-sieve) by @hasherezade  2018-04-13T23:04:07+00:00 Loki v0.27.5 2018-04-14T07:10:54+00:00 - Bugfix: Removed demo code 2018-04-14T07:10:54+00:00 Loki v0.28.0 2018-04-14T10:44:35+00:00 - Don't show every rule during startup but only a count (use --debug to see them) - LOKI upgrader allows a signature clean-up to handle errors caused by old (most likely renamed) rules (--clean) - Bugfix: Exclude LOKI's processes from checks - Bugfix: Error fix in loki-upgrader (cannot create output directory) 2018-04-14T10:44:35+00:00 Loki v0.28.1 2018-06-08T14:45:31+00:00 - Minor bugfix: handle cases in which PESieve didn't produce JSON output (some error) 2018-06-08T14:45:31+00:00 Loki v0.28.2 2018-09-26T12:22:14+00:00 - Upgraded [PE-Sieve](https://github.com/hasherezade/pe-sieve) to v0.1.4.3 2018-09-26T12:22:14+00:00 Loki v0.29.0 2019-01-02T09:27:56+00:00 - Feature: New Plugin Framework provided by @DidierStevens - Bugfix: Generic method to avoid unicode decode errors   2019-01-02T09:27:56+00:00 Loki v0.29.1 2019-01-02T20:46:05+00:00 - Upgraded PE-Sieve version from 1.4.3 to 1.6.0 2019-01-02T20:46:05+00:00 Loki v0.29.2 2019-03-15T06:22:22+00:00 - Upgraded [PE-Sieve](https://github.com/hasherezade/pe-sieve/releases/tag/v0.1.7) version from 0.1.6 to 0.1.7 2019-03-15T06:22:22+00:00 Loki v0.30.0 2019-08-27T06:49:00+00:00 Changes due to [pull requests](https://github.com/Neo23x0/Loki/pull/133) by @s3c - Added --syslogtcp, allowing TCP syslog servers, was easier with our Splunk setup - Included pywin32, setuptools==19.2, and rfc5424-logging-handler in pip command, latter to enable rfc5424 compatible syslog logging - Fixed exception handler for #51 (not sure why this triggered for me since there is a check before this func is called in init, might be because subfolder didn't exist for some reason) - Added date and time to default filename - Added ability to specify log directory independant of filename, which is useful for automation that pushes logs to a fileshare (the new default filename which contains the hostname and time is used) - Added OS path conversion for portability, needed for parsing data within SOAR platform as well as running loki from a webdav share (so we don't have to store any files on the host) - Enabled pe-sieve shellcode search, nice extra check - Added some argument sanity checking - Added rfc5424logging compatible syslog logging (splunk parsing with linux_messages_syslog) - Made minor changes to logging output to allow Splunk to easily parse syslog messages (just removed a colon) - Renamed command line flag --printAll to lowercase, to match format of others - Updated build script for python x64 compatibility - Added process name whitelist, and switch to disable pesieve, since some EDR solutions get really upset when you touch them - Added switch to ignore network comms checks Change by me - Upgrade to PE-Sieve version [0.2.2](https://github.com/hasherezade/pe-sieve/releases/tag/v0.2.2) 2019-08-27T06:49:00+00:00 Loki v0.30.1 2019-08-27T09:32:03+00:00 fix: issue with PyInstaller including pyconfig.h ``` WARNING: file already exists but should not: C:\Users\...\AppData\Local\Temp\_MEI31642\include\pyconfig.h ``` 2019-08-27T09:32:03+00:00 Loki v0.30.2 2019-08-28T12:23:32+00:00 - Making PE-Sieve shellcode search optional #134 2019-08-28T12:23:32+00:00 Loki v0.30.3 2019-08-29T17:46:43+00:00 - fix: prebuilt loki.exe binary in 0.30.2 release was built from source code of 0.30.1 (still had shellcode detection as default) 2019-08-29T17:46:43+00:00 Loki v0.30.4 2019-10-16T15:10:58+00:00 - fix: fixing handle access error in PE-Sieve scan 2019-10-16T15:10:58+00:00 Loki v0.30.5 2020-01-28T09:09:54+00:00 - PESieve update to v0.2.4 2020-01-28T09:09:54+00:00 Loki v0.30.6 2020-03-12T13:08:18+00:00 - Upgrade PE-Sieve to [v0.2.5](https://github.com/hasherezade/pe-sieve/releases/tag/v0.2.5) 2020-03-12T13:08:18+00:00 Loki v0.30.7 2020-05-18T07:05:56+00:00 - Upgraded PE Sieve to v0.2.6.1 - Changed `hooked` to `patched` to comply with ne PESieve JSON output field 2020-05-18T07:05:56+00:00 Loki v0.30.8 2020-06-15T07:51:09+00:00 - Upgrade to PE-Sieve 0.2.7 - Fixed some bugs and false positives 2020-06-15T07:51:09+00:00 Loki v0.31.0 2020-06-30T19:38:41+00:00 - Integration of YARA rules provided by [Reversing Labs](https://github.com/reversinglabs/reversinglabs-yara-rules) - PE-Sieve upgrade to version [0.2.7.1](https://github.com/hasherezade/pe-sieve/releases/tag/v0.2.7.1)  2020-06-30T19:38:41+00:00 Loki v0.31.1 2020-07-07T10:34:25+00:00 - Fixes problems with upgrader since ReversingLabs decided to rename the `master` branch 2020-07-07T10:34:25+00:00 Loki v0.32.0 2020-09-11T15:10:03+00:00 - Skip incompatible rules from ReversingLabs (blocklist.yara with YARA 4 syntax) - Support for new C2 IOC file format 2020-09-11T15:10:03+00:00 Loki 0.32.1 2020-10-19T08:36:04+00:00 - Upgraded PE-Sieve and PE-Sieve event handling by @hasherezade 2020-10-19T08:36:04+00:00 Loki 0.33.0 2021-01-08T09:00:48+00:00 - Performance improved hash search provided by @2d4d in https://github.com/Neo23x0/Loki/pull/153 2021-01-08T09:00:48+00:00 Loki 0.40b 2021-02-27T18:24:56+00:00 - changed code to support Python 3 - new build using PyInstaller 4.2 on Windows 10 - removed some unneeded modules and structures: reginfs, plugins, pylzma requirement by custom encrypted signatures   2021-02-27T18:24:56+00:00 Loki 0.40b_02 2021-02-28T14:12:56+00:00 - Build with patch from https://github.com/pyinstaller/pyinstaller/pull/5580 to reduce AV engine matches Before https://www.virustotal.com/gui/file/3d8ff612de481707fa706952a894d904a4132d28ccae963813137eca063297d5/detection  After https://www.virustotal.com/gui/file/eb4015587a19a296d314359af969f33dae53518bd715ea196edf1bc5b0c3e3ab/detection  2021-02-28T14:12:56+00:00 Loki 0.40.1 2021-03-04T14:15:33+00:00 - removed tracebacks for permission denied errors during file walk while scanning as non-admin user 2021-03-04T14:15:33+00:00 Loki 0.41.0 2021-04-28T06:59:08+00:00 - build with YARA 4.1.0 - performance improvements (20-35%) - lower memory usage 2021-04-28T06:59:08+00:00 Loki 0.41.2 2021-07-15T07:26:42+00:00 - fix: multiple Cobalt Strike rule matches on a single process could cause a false negative message saying that LOKI shows "too many matches on process memory" and prints a "WARNING" level message that states "most likely a false positive" - we've increased the threshold from 3 to 5 different rules https://github.com/Neo23x0/Loki/pull/180 2021-07-15T07:26:42+00:00 Loki 0.42.0 2021-07-20T12:36:15+00:00 - vulnerability check: local SAM database readable by every user  2021-07-20T12:36:15+00:00 Loki 0.42.1 2021-07-20T16:09:25+00:00 - docs: better description of Hive Permission bug - fix: typos in some words 2021-07-20T16:09:25+00:00 Loki 0.42.2 2021-07-20T20:02:03+00:00 - trying to fix unicode decode issues for some users 2021-07-20T20:02:03+00:00 Loki 0.42.3 2021-07-24T06:15:25+00:00 - refactor: making the vulnerability check optional 2021-07-24T06:15:25+00:00 Loki 0.43.0 2021-08-23T09:59:47+00:00 - feat: rule author output to comply with [DRL 1.1](https://github.com/Neo23x0/signature-base/blob/master/LICENSE) (new signature-base license)  2021-08-23T09:59:47+00:00 Loki 0.44.0 2021-08-25T07:54:02+00:00 - new command line flags `--allhds` and `--alldrives` allow scanning all local hard drives or all drives in general including removable drives and network drives - You can use `--force` to force scan a directory that has been excluded by default (e.g. `/dev`, `/media`, `/mnt` etc.) - The usage description in the README has been updated 2021-08-25T07:54:02+00:00 Loki v0.44.1 2021-09-06T12:03:25+00:00 - workaround for "owner" field supported in THOR only 2021-09-06T12:03:25+00:00 Loki v0.44.2 2021-09-29T11:41:45+00:00 - fix: comparison issue - fix: custom IOC initialisation issue - fix: allow different python version 2021-09-29T11:41:45+00:00 Loki v0.45.0 2022-07-25T09:25:49+00:00 - build with [YARA](https://github.com/VirusTotal/yara) [4.1.3](https://github.com/VirusTotal/yara-python/releases/tag/v4.1.3) - [PESieve](https://github.com/hasherezade/pe-sieve) update to [v0.3.4](https://github.com/hasherezade/pe-sieve/releases/tag/v0.3.4) 2022-07-25T09:25:49+00:00 Loki v0.46.0 2023-04-24T20:16:18+00:00 - package upgrades - support for new hash IOC format (2nd column contains score) - PE-Sieve upgrade the new hash IOC format, which we're using in THOR for quite some time (with an optional 2nd column), allows us to set a score for hash IOCs, e.g. this new hash IOC list for malicious/vulnerable drivers from [LOLDrivers](https://github.com/magicsword-io/LOLDrivers) project  2023-04-24T20:16:18+00:00 Loki v0.46.1 2023-04-25T06:44:17+00:00 - change wording when hash score is low ("Malware Hash" to "Suspicious Hash")  2023-04-25T06:44:17+00:00 Loki v0.46.2 2023-04-25T08:34:38+00:00 - LAST 32bit version of the LOKI Windows binary - fix: downgrading PE-Sieve to version 0.3.4 due to stability issues 2023-04-25T08:34:38+00:00 Loki v0.50.0 2023-05-10T15:18:35+00:00 - first release in which `loki.exe` and `loki-upgrader.exe` are a x64 binaries (better in-memory detection, changes in how SysWow64 / Sysnative gets processed etc.) - end of x86 support / no pre-build executables anymore (the last 32bit version is [LOKI version 0.46.2](https://github.com/Neo23x0/Loki/releases/tag/v0.46.2)) - fix: aligned with new PE-Sieve JSON output structure 2023-05-10T15:18:35+00:00 Loki v0.50.1 2023-05-11T10:12:46+00:00 - fix: since we're still using the stable old version of PE-Sieve, the JSON structure change had to be reverted - fix: string match display broke with yara-python upgrade (new structure) 2023-05-11T10:12:46+00:00 Loki v0.51.0 2023-05-18T18:16:57+00:00 - PE-Sieve upgraded to fixed [version 0.3.6](https://github.com/hasherezade/pe-sieve/releases/tag/v0.3.6) 2023-05-18T18:16:57+00:00