Open-Source IOC Scanner

LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. IOC stands for „Indicators of Compromise“. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab.

LOKI offers a simple way to scan your systems for known IOCs.

It supports these different types of indicators:

  • MD5 / SHA1 / SHA256 hashes
  • Yara Rules (applied to file data and process memory)
  • Hard Indicator Filenames based on Regular Expression (e.g. \\pwdump\.exe)
  • Soft Indicator Filenames based on Regular Expressions (e.g. Windows\\[\w]\.exe)

Rule Sets

LOKI features some of the most effective rules borrowed from the rule sets of our famous THOR APT Scanner. We decided to integrate a lot of webshell rules as even the best Antivirus engines fail to detect most of them. We put almost half of our hacktool rule set into the rule base as well.

The IOC signature database is not encrypted or stored in a proprietary format.You can edit the signature database yourself and add your own IOCs. Be advised that attackers may also get access to these rules on the target systems if you use the scanner and leave the package on a compromised system.

Using LOKI

You can easily add you own sample hashes, filename characteristics and Yara rules to the rulesets we bundled with it.

The most common use case is a so called „Triage“ or „APT Scan“ scenario in which you scan all your machines to identify threats that haven’t been detected by common Antivirus solutions. You can roll out LOKI like any other software using your preferred method or offer it on a network share. LOKI can than be started via Scheduled Task (GPO). You can simply run it using the UNC path „\\system\share\loki.exe“.

Another scenario is the use in a forensic lab. Scan mounted images with LOKI to identify known threats using the provided IOC definitions.

We quickly add IOCs derived from important threat reports to our rule sets (e.g. Regin, Skeleton Key). Use LOKI to check the integrity of your systems fast and target-oriented.


LOKI features a simple log file output in the format created by syslog daemons.

Three Different Result Types

At the end of the scan LOKI generates a scan result. This result can be:

  • System seems to be clean.
  • Suspicious objects detected!
  • Indicators detected!


Professional support is not included. Please use the issues section on the Github project page to submit bug reports. If you need a professional tool with professional support, choose our APT Scanner THOR.


LOKI is hosted on Github. Download the latest release from the project page and read the README on github for the first steps.


You use LOKI on your own risk.

LOKI does not support throttling and no feature to adapt the performance to the actual system resources as our APT Scanner THOR. LOKI does not support AES256 encrypted signature files. Make sure that you completely remove the package from the target system in order to avoid that attackers gain knowledge of the indicators with which you are trying to detect them.


Loki – Simple IOC Scanner
Copyright (c) 2017 Florian Roth

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see

WordPress Cookie Plugin by Real Cookie Banner