Automate LOKI using Splunk

 Automate LOKI using Splunk

LOKI scanner is one of the famous open-source endpoint scanners which can be used to detect indicators of compromise by the below methods:

  • File Name IOC 
    • Regex match on full file path/name
  • Yara Rule Check
    • Yara signature match on file data and process memory. Includes but not limited to: File size, specific strings in file header or content, create/modify time, and many others
  •  Hash Check
    • Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
  •  C2 Back Connect Check
    • Compares process connection endpoints with C2 IOCs

 

This scanner comes really handy in incident response and threat hunting activities across organization. But you have to run it on suspected endpoints and analyze findings manually for each.
More details on LOKI available on https://github.com/Neo23x0/Loki

So, we decided to make our lives - and yours- easier by automating deployment, signature update and have full visibility of results in detailed, interactive dashboards using the power of Splunk.

Yes, you must have Splunk deployment in place if you want to use this app, however, you will see detailed steps below which can be translated into any other solution that is: agent based, and has centralized deployment instance. The rest of parsing and visualization capabilities are available on all SIEM solutions for sure – you’ll have to do your own-

 

    Important notes: 

  1. For this addon to work, Splunk user must have admin privilege or any equivalent rights to running executables. If you already installed Splunk agent using an admin user you don’t have to worry about this point
  2. In some scenarios you need to whitelist loki.exe from the antivirus or EDR in your environment

This figure illustrates the deployment plan of this app, more details will follow


 

Where to Install add-on and app?

You can use this table to see where this addon has to be placed

 

Deployment Server

Heavy Forwarder – if used in your environment -

Indexer

Search Head

Add-on

Yes – in deployment-apps

Optional

Yes

Yes

App

No

No

No

Yes

 

 

Loki_TA preparation

 

At the start you need to prepare the Loki_TA before uploading to the deployment server, the addon doesn’t ship with Loki.exe nor the Loki’s library, below is the initial addon that you can install from https://splunkbase.splunk.com/app/6378/#/details

1.      install Loki scanner from GitHub, we prefer to use version 0.33 (most stable) "https://github.com/Neo23x0/Loki/releases/tag/0.33.0"

a.      copy below files to the addon path: TA_loki/bin:

                                          i.     config

                                         ii.     docs

                                        iii.     plugins

                                        iv.     tools

                                         v.     license

                                        vi.     loki.exe

 

2.      Install Loki master scanner from the GitHub "https://github.com/Neo23x0/Loki"

a.      copy {loki-upgrader.py} to TA_loki/bin

b.      copy files inside {lib} to TA_loki/bin/lib

 

3.      Comment out some libraries that are not used because they have dependencies:

a.      TA_loki\bin\lib\helpers.py  -- comment out psutil & netaddr

                                          i.    

 

b.      TA_loki\bin\lib\lokilogger.py  -- comment out rfc5424logging

                                          i.    

 

 

4.      (Optional step) Change logs saved after scan and what to scan in the server from TA_Loki\bin\loki.bat.

a.      This step can be done from the deployment server

b.      By default, path we used for saving scan result on the server is:

                                          i.     $SPLUNKPATH\var\log\TA_Loki

c.      By default, Loki scan only C: driver, you can change from “-p %ScanPath%” à “--allhds”

 

After finishing above steps, the addon should be looking like below:

 

Loki_TA Deploy

 

After doing previous prerequisites archive the addon and upload to Splunk Deployment Server we assume that deployment server is Linux based à $SPLUNK_HOME/etc/deployment-apps

1.    Copy 2 lib from TA_loki/bin/lib to $SPLUNK_HOME/lib/python3.7/site-packages/

a.      cp -R TA_loki/bin/lib/colorama $SPLUNK_HOME/lib/python3.7/site-packages/

b.      cp -R TA_loki/bin/lib/colorama-0.4.4.dist-info/ $SPLUNK_HOME/lib/python3.7/site-packages/

2.     Run signature upgrade for Loki scanner, use same user running Splunk service (in my case user: Splunk). the signature updater better to run before scanning devices interval.

 

  • For Example: if you are using interval schedule to run at 1st of each month, run the            update-signature.sh the day before either manually or by creating cron job.

        below command

a.      $SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/deployment-apps/TA_loki/bin/update-signature.sh

if using $SPLUNK_HOME different than /opt/splunk change it in TA_loki/bin/update-signature.sh

 3.      set the interval and the index inside inputs.conf

mkdir TA_loki/local

 

 

Hint: If you want to run it once, you can interval = -1

4.   push the addon from Splunk Forwarding Management to the needed hosts.

 

 

Loki APP

 

The application intended to visualize the results of Loki Scanner, it has 2 dashboards, the first one is an overview of the findings on the host you scanned and the other one is for analyst or threat hunter to investigate the result.


This application depends on 3 addons, 2 of them are Custom Visualization. You have to install these addons on the search head that has Loki app installed on it:


1) TA_Loki -- https://splunkbase.splunk.com/app/6378/
2) Splunk Sankey Diagram -- https://splunkbase.splunk.com/app/3112/
3) Force Directed App For Splunk -- https://splunkbase.splunk.com/app/3767/

Only one setup is required, set the MACRO of loki_index to a specific index

Settings à Advanced search à Search Macros à App (Loki_App) à search for loki_index and set it to the index you have chosen in “Loki_TA Deploy” step 3

 

Dashboard - Loki Overview

 

  1.  Two Dashboards: Overview (High Level), Analyst view (Low Level)
  2. General Time Frame, to view multiple scans use pick big time frame
  3.  Distinct count for hosts scanned
  4. It shows number of scans for the hosts in the period picked, in our case it is2
  5. Total risk score of each host. If file got 2 different scores in each scan, both scores will be summed. 
    • Note: Risk score is already defined in each YARA rule. Total host risk score is the sum of each YARA rule’s score which got matched on this host. If you’re doing threat hunting make sure to put risk score in custom Yara rules you create
  6. Distinct count for the files scanned in # of scans, in our case it is 2 scans
  7. Four important log types of scan results (warning + alert) are most important to investigate

 

Scan timeline panel:

 

 

 

Dashboard – Analyst view

 

Panel: Matched rules 1 summary + Matched rules 2 summary:

LOKI scanner can find multiple matches in one file, the first 2 panels to show first and second match, other matches are not viewed by the dashboard you can add it manually.

For example, if you have a file that matched a YARA rule that looks for a specific backdoor with strings “ngrok”, and another YARA rule that looks for files that got created within the last week, and a third one for specific file name. In this case first two rules will be showing on these panels only  

·        You can search name of matched rule in search bar, or you can order one of the fields (rule score, file detected, server) ascending or descending.


 

Panel: Matched rule (files drilldown) + Matched rule (servers drilldown):

This will help with finding all hosts + files related to specific matched rule.

For example, a new exploit for Apache is out in the wild, and security researchers published the IOCs. You will most probably want to scan your internet facing Apache servers for these IOCs. Whether you write your own YARA rule or you get it from the web, this dashboard will give you a detailed view where (host & file) this rule got matched

 


 

Panel: File Scanned and matched rules

This panel to searches for file names, to find if it was matched with any rules and find what are those rules.

              

Panel: Server scan result

This panel is general, and allow the analyst to investigate multiple things:

  1. Server name
  2.  Log Type {warning, alert, error, etc.}
  3. Scan date: if the time frame picked for the dashboard covers multiple scans it will be showing here, in my case there was 2 days of Loki scan
  4. File Type: all files type scanned {EXE, csv, xlsm, ps1, etc.}
  5. File name: you can search for the file name
  6. Score: if you have specific score in mind

 

 

Panel: File Creation/Modification/Access

This is one of the most useful panels in case Loki was used for incident response or investigation.

If analysts know the time frame of the attack or incident, they can look into the files that were created/modified/accessed around that time, it might provide them some leads where to look

 Important note: time format only accepted as Data Range or Date & Time Range due to Splunk interpretation of time formats

 

 

Panel: Hash Checker

Using this panel, you can look for a specific hash (MD5, SHA1, or SHA256). It comes in habndy if you’re looking for a newly announced hash IOCs, or you might find a malicious software under two different names but with the same hash. Attackers tend to plant as many backdores as possible to maintain access

 

I hope you enjoyed reading this guide. Happy hunt!

 

 

Comments