Path issue on Linux with IOCs residing in Windows root folder
xathon opened this issue · 0 comments
xathon commented
When running Loki on Linux, Filename IOCs that reside in the Windows root folder, such as C:\\Program.exe will be matched in every (sub)folder in the scan directory.
Example scan results, where I've placed two non-malicious files in an 'unrelated' subfolder:
[INFO] Scanning Path /scan/ ...
[ALERT]
FILE: /scan/unrelated/Program.exe SCORE: 115 TYPE: UNKNOWN SIZE: 20
FIRST_BYTES: 68656c6c6f206920616d2076657279207375730a / <filter object at 0x7fd8b43f0460>
MD5: 8dd7925dc8d44dc6c03464d97bfc1e1d
SHA1: b6059a7e61f663b2c1ed88c824d1853fe891e2fe
SHA256: d9c0cb2ef62c58ac45401bac66a62648d6942fb8d81a288042ca9caf1bd354ac CREATED: Tue Apr 4 17:30:37 2023 MODIFIED: Tue Apr 4 17:30:37 2023 ACCESSED: Tue Apr 4 17:31:07 2023
REASON_1: File Name IOC matched PATTERN: /Program\.exe SUBSCORE: 50 DESC: Typical malware names VT evaluation July 2017
REASON_2: File Name IOC matched PATTERN: /Program\.exe SUBSCORE: 65 DESC: Possible attempt to exploit privilege escalation weakness https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
[WARNING]
FILE: /scan/unrelated/mscoree.dll SCORE: 70 TYPE: UNKNOWN SIZE: 21
FIRST_BYTES: 646f6e277420646574656374206d6520706c7a3f / <filter object at 0x7fd8b43f0520>
MD5: f8ca5f01dac6d03ab5473e9711320056
SHA1: 80e5b6e7724e8e2a8db400b8d48b5edbc8685549
SHA256: 826cb878e776b977dceb6ddd6ada8bdbb93d1aeb31515f153833a090912030a3 CREATED: Tue Apr 4 17:24:58 2023 MODIFIED: Tue Apr 4 17:24:58 2023 ACCESSED: Tue Apr 4 17:25:35 2023
REASON_1: File Name IOC matched PATTERN: /mscoree\.dll SUBSCORE: 70 DESC: Unattributed Shadowpad Activity in Exchange Exploiation IOC https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/