Endpoint Incident Response using - Loki IOC and YARA Scanner
LOKI is a simple IOC and YARA scanner. It is used to detect intrusion and infection on the system by scanning the system through signatures.
LOKI’s detection is based on four methods:
- File Name IOC which uses regex pattern to match on the full file path/name.
- YARA Rule Check which uses yara rules signatures to match on file data and process memory.
- Hash Check which is used to compare known malicious hashes with scanned files.
- C2 Back Connect Check which is used to compare connection on endpoints with C2 IOC’s
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.