How to add IOCs to Loki signature base?

How to add IOCs to Loki signature base?

Use the ‘score’ value to define the level of the message upon a signature match. You can add hash, c2 and filename IOCs by adding files to the ‘./signature-base/iocs’ subfolder. All hash IOCs and filename IOC files must be in the format used by LOKI (see the default files).

How to check for Loki simple IOC in Yara?

1. File Name IOC Regex match on full file path/name 2. Yara Rule Check Yara signature match on file data and process memory 3. Hash Check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files 4. C2 Back Connect Check Compares process connection endpoints with C2 IOCs (new since version v.10) 1.

Where can I find Loki script on GitHub?

Loki uses a filename regex or hash only once. (no performance impact) The threat intel receivers have also been moved to the signature-base sub repository with version 0.15 and can be found in “./signature-base/threatintel”. Provide your API key via -k APIKEY or set it in the script header.

What are the detection methods of Loki simple IOC?

Detection is based on four detection methods: 1. File Name IOC Regex match on full file path/name 2. Yara Rule Check Yara signature match on file data and process memory 3. Hash Check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files 4.

Where to find excludes.cfg file in Loki?

Since version v0.16.2 LOKI supports the definition of user-defined excludes via “excludes.cfg” in the new “./config” folder. Each line represents a regular expression that gets applied to the full file path during the directory walk.

Is there a way to run Loki as an administrator?

Right-click on loki.exe and select “Run as Administrator” or open a command line “cmd.exe” as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)