Fenrir Simple Bash IOC Scanner

Fenrir is a straightforward IOC scanner implemented as a bash script.

This tool enables the scanning of Linux, Unix, and OSX systems for various Indicators of Compromise (IOCs), including: - **Hashes**: MD5, SHA1, and SHA256 (utilizing commands such as md5sum, sha1sum, and sha -a 256) - **File Names**: Checked for substrings within the full path, for example, detecting "temp/p.exe" in the path "/var/temp/p.exe" - **Strings**: Grep command is used to search within files for specific strings - **C2 Server**: Checks for C2 server strings in the output of 'lsof -i' and 'lsof -i -n' - **Hot Time Frame**: Utilizes the stat command in various modes to define minimum and maximum epoch timestamps, retrieving all files created within that timeframe. ### Basic Characteristics: - **Bash Script**: This is a script written in Bash. - **No Installation or Agent Needed**: It operates without requiring installation or an agent. - **Utilizes Common Tools**: The script employs commonly available tools to extract attributes (e.g., md5sum, grep, stat in different modes). - **Compatible with Various Systems**: It is designed to run on any Linux, Unix, or OS X system that supports Bash. - **Low Footprint**: The script has minimal resource usage. - **Ansible Playbook with RAM Drive Solution**: It can be integrated into an Ansible playbook that uses a RAM drive solution. - **Smart Exclusions**: The tool includes intelligent exclusions based on file size, extension, and specific directories, which enhances the speed of the scanning process.

Why Fenrir? FENRIR is the 3rd tool following THOR and LOKI. THOR is our comprehensive APT Scanner, offering numerous modules and export types tailored for corporate clients. LOKI is a free and open-source IOC scanner that utilizes YARA as its signature format.

The issue with both predecessors is that they each have specific limitations.