Pentest Tools

Published on March 1st, 2016 📆 | 6653 Views ⚑


Fenrir — Bash IOC Scanner
Fenrir is a simple IOC scanner bash script. It scans Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):

  • Hashes

    MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256)

  • File Names

    string –  checked for substring of the full path, e.g. “temp/p.exe” in “/var/temp/p.exe”

  • Strings

    grep in files

  • C2 Server

    checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output

  • Hot Time Frame

    using stat in different modes – define min and max epoch time stamp and get all files that have been created in between

[adsense size='1']

Bash IOC Scanner characteristics:

  • Bash Script
  • No installation or agent needed
  • Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)
  • Intended to run on any Linux / Unix / OS X with Bash
  • Low footprint – Ansible playbook with RAM drive solution
  • Smart exclusions (file size, extension, certain directories) speeds up the scan process




DIRECTORY - Start point of the recursive scan



What Fenrir does is:

  • Reads the IOC files
  • Takes a parameter as starting directory for the recursive walk
  • Checks C2 servers in lsof output
  • Checks for directory exclusions (configurable in the script header)
  • Checks for certain file extensions to check (configurable in the script header)
  • Checks the file name (full path) for matches in IOC files
  • Checks for file size exclusions (configurable in the script header)
  • Checks for certain strings in the file (via grep)
  • Checks for certain hash values
  • Checks for change/creation time stamp

[adsense size='4']

Source && Download

Leave a Reply

Your email address will not be published.