Fenrir — Bash IOC Scanner
iSpeech.org
Fenrir is a simple IOC scanner bash script. It scans Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):
-
Hashes
MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256)
-
File Names
string – checked for substring of the full path, e.g. “temp/p.exe” in “/var/temp/p.exe”
-
Strings
grep in files
-
C2 Server
checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output
-
Hot Time Frame
using stat in different modes – define min and max epoch time stamp and get all files that have been created in between
[adsense size='1']
Bash IOC Scanner characteristics:
- Bash Script
- No installation or agent needed
- Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)
- Intended to run on any Linux / Unix / OS X with Bash
- Low footprint – Ansible playbook with RAM drive solution
- Smart exclusions (file size, extension, certain directories) speeds up the scan process
Usage
Usage: ./fenrir.sh DIRECTORY
DIRECTORY - Start point of the recursive scan
What Fenrir does is:
- Reads the IOC files
- Takes a parameter as starting directory for the recursive walk
- Checks C2 servers in lsof output
- Checks for directory exclusions (configurable in the script header)
- Checks for certain file extensions to check (configurable in the script header)
- Checks the file name (full path) for matches in IOC files
- Checks for file size exclusions (configurable in the script header)
- Checks for certain strings in the file (via grep)
- Checks for certain hash values
- Checks for change/creation time stamp
[adsense size='4']
Source && Download
https://github.com/Neo23x0/Fenrir
Gloss