-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWindows.EventLogs.Loki.yaml
executable file
·242 lines (227 loc) · 7.38 KB
/
Windows.EventLogs.Loki.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
name: Windows.EventLogs.Loki
description: |
[Loki](https://github.com/Neo23x0/Loki) is a
Scanner for Simple Indicators of Compromise
This artifact runs Loki on the endpoint against the specified
directory, and generates and uploads a single CSV
file for further analysis
author: Jannik Schmied (Artifact), Florian Roth (Loki) @nextronsystems
tools:
- name: Loki-0.51.0
url: https://github.com/Neo23x0/Loki/releases/download/v0.51.0/loki_0.51.0.zip
expected_hash: 32d340d982b91616bd966da8a5807d4eac7febb1d0e87da1acee7cd8c9d295ae
version: 0.51.0
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: Path
description: "Path to scan"
type: str
default: "C:\\"
- name: Kilobyte
description: "Maximum file size to check in KB (default 5000 KB)"
type: str # int
default: "5000"
- name: LogFile
description: "Log file"
type: str
default: "loki_results.csv"
- name: RemoteLogHost
description: "Remote syslog system"
type: str
default: ""
- name: RemoteSyslogPort
description: "Remote syslog port"
type: str # int
default: "514"
- name: AlertLevel
description: "Alert score"
type: str # int
default: "100"
- name: WarningLevel
description: "Warning score"
type: str # int
default: "60"
- name: NoticeLevel
description: "Notice score"
type: str # int
default: "40"
- name: AllHardDrives
description: "Scan all local hard drives (Windows only)"
type: bool
default: N
- name: AllDrives
description: "Scan all drives (including network drives and removable media)"
type: bool
default: N
- name: PrintAll
description: "Print all files that are scanned"
type: bool
default: N
- name: AllReasons
description: "Print all reasons that caused the score"
type: bool
default: N
- name: NoProcScan
description: "Skip the process scan"
type: bool
default: N
- name: NoFileScan
description: "Skip the file scan"
type: bool
default: N
- name: VulnChecks
description: "Run the vulnerability checks"
type: bool
default: N
- name: NoFileScan
description: "Skip the file scan"
type: bool
default: N
- name: NoLevCheck
description: "Skip the Levenshtein distance check"
type: bool
default: N
- name: NoFileScan
description: "Skip the file scan"
type: bool
default: N
- name: ScriptAnalysis
description: "Statistical analysis for scripts to detect obfuscated code (beta)"
type: bool
default: N
- name: Rootkit
description: "Skip the rootkit check"
type: bool
default: N
- name: NoIndicator
description: "Do not show a progress indicator"
type: bool
default: N
- name: DontWait
description: "Do not wait on exit"
type: bool
default: N
- name: Intense
description: "Intense scan mode (also scan unknown file types and all extensions)"
type: bool
default: N
- name: Csv
description: "Write CSV log format to STDOUT (machine processing)"
type: bool
default: Y
- name: OnlyRelevant
description: "Only print relevant warnings or alerts"
type: bool
default: N
- name: NoLog
description: "Do not write a local log file"
type: bool
default: N
- name: Update
description: "Update the signatures from the \"signature-base\" sub repository"
type: bool
default: Y
- name: Debug
description: "Debug output"
type: bool
default: N
- name: MaxWorkingSet
description: "Maximum working set size of processes to scan (in MB, default 100 MB)"
type: str # int
default: "100"
- name: SysLogTcp
description: "Use TCP instead of UDP for syslog logging"
type: bool
default: N
- name: LogFolder
description: "Folder to use for logging when log file is not specified"
type: str
default: ""
- name: NoPeSieve
description: "Do not perform pe-sieve scans"
type: bool
default: N
- name: PeSieveShellc
description: "Perform pe-sieve shellcode scan"
type: bool
default: N
- name: Python
description: "Override default python path"
type: str
default: "python3"
- name: NoListen
description: "Do not show listening connections"
type: bool
default: N
# TODO: does this work? how?
# - name: ExludeProcess
# description: "Specify an executable name to exclude from scans, can be used multiple times"
# type: list
# default: []
- name: Force
description: "Force the scan on a certain folder (even if excluded with hard exclude in LOKI\'s code"
type: bool
default: N
sources:
- name: Upload
query: |
-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Loki-0.51.0", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET LokiDir <= TmpDir + '\\loki'
LET LokiExe <= LokiDir + '\\loki.exe'
-- Optionally, update the signature base
LET _ <= if(condition=Update, then={
SELECT * FROM execve(argv=['cmd.exe', '/c', 'cd', LokiDir, '&', LokiExe, '--update']) })
LET CSVFile <= 'C:\\Windows\\System32\\loki_results.csv'
-- Build the command line considering all options
LET cmdline <= filter(list=(
LokiExe,
"-p", Path,
"-s", Kilobyte,
"-l", LogFile,
-- "-r", RemoteLogHost,
-- "-t", RemoteSyslogPort,
"-a", AlertLevel,
"-w", WarningLevel,
"-n", NoticeLevel,
"--maxworkingset", MaxWorkingSet,
-- "--logfolder", LogFolder,
"--python", Python,
if(condition=AllHardDrives, then="--allhds"),
if(condition=AllDrives, then="--alldrives"),
if(condition=PrintAll, then="--printall"),
if(condition=AllReasons, then="--allreasons"),
if(condition=NoProcScan, then="--noprocscan"),
if(condition=NoFileScan, then="--nofilescan"),
if(condition=VulnChecks, then="--vulnchecks"),
if(condition=NoLevCheck, then="--nolevcheck"),
if(condition=ScriptAnalysis, then="--scriptanalysis"),
if(condition=Rootkit, then="--rootkit"),
if(condition=NoIndicator, then="--noindicator"),
if(condition=DontWait, then="--dontwait"),
if(condition=Intense, then="--intense"),
if(condition=Csv, then="--csv"),
if(condition=OnlyRelevant, then="--onlyrelevant"),
if(condition=NoLog, then="--nolog"),
if(condition=Debug, then="--debug"),
if(condition=SysLogTcp, then="--syslogtcp"),
if(condition=NoPeSieve, then="--nopesieve"),
if(condition=PeSieveShellc, then="--pesieveshellc"),
if(condition=NoListen, then="--nolisten"),
if(condition=Force, then="--force")
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecHB <= SELECT *
FROM execve(argv=cmdline, sep="\n", length=9999999)
WHERE log(message=Stdout)
-- Upload the raw file.
SELECT upload(file=CSVFile) AS Uploads FROM scope()
- name: Results
query: |
SELECT *, timestamp(string=Timestamp) AS EventTime
FROM parse_csv(filename=CSVFile)