Fenrir – Simple Bash Indicators of Compromise Scanner
Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs) Hashes MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256), File Names ,Strings , C2 Server checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output, Hot Time Frame.

What Fenrir does is:
- Reads the IOC files
- Takes a parameter as starting directory for the recursive walk
- Checks C2 servers in lsof output
- Checks for directory exclusions (configurable in the script header)
- Checks for certain file extensions to check (configurable in the script header)
- Checks the file name (full path) for matches in IOC files
- Checks for file size exclusions (configurable in the script header)
- Checks for certain strings in the file (via grep)
- Checks for certain hash values
- Checks for change/creation time stamp
User may search for the hash list and update once there is a new IOC published by any threat intelligence feed. This can be automated by subscribing to online Threat feed such as Alienvault OTX. The current hash list include a link to the APT and source of the IOC whether it is Microsoft , Symantec and more.
You can read more and download this tool over here: https://github.com/Neo23x0/Fenrir
Subscribe
0 Comments