Fenrir v0.9: Simple Bash IOC Scanner

by do son · Published February 4, 2018 · Updated December 13, 2021

Fenrir

Simple Bash IOC Scanner

Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):

HashesMD5, SHA1, and SHA256 (using md5sum, sha1sum, sha -a 256)
File Namesstring – checked for substring of the full path, e.g. “temp/p.exe” in “/var/temp/p.exe”
Stringsgrep in files
C2 Serverchecking for C2 server strings in ‘lsof -i’ and ‘lsof -i -n’ output
Hot Time Frameusing stat in different modes – define min and max epoch timestamp and get all files that have been created in between

Basic characteristics:

Bash Script
No installation or agent needed
Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)
Intended to run on any Linux / Unix / OS X with Bash
Low footprint – Ansible playbook with RAM drive solution
Smart exclusions (file size, extension, certain directories) speeds up the scan process

Step by Step

What Fenrir does is: