Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs) Hashes MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256), File Names ,Strings , C2 Server checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output, Hot Time Frame.

What Fenrir does is:

• Reads the IOC files
• Takes a parameter as starting directory for the recursive walk
• Checks C2 servers in lsof output
• Checks for directory exclusions (configurable in the script header)
• Checks for certain file extensions to check (configurable in the script header)
• Checks the file name (full path) for matches in IOC files
• Checks for file size exclusions (configurable in the script header)
• Checks for certain strings in the file (via grep)
• Checks for certain hash values
• Checks for change/creation time stamp

User may search for the hash list and update once there is a new IOC published by any threat intelligence feed. This can be automated by subscribing to online Threat feed such as Alienvault OTX. The current hash list include a link to the APT and source of the IOC whether it is Microsoft , Symantec and more.

You can read more and download this tool over here: https://github.com/Neo23x0/Fenrir