README update, PE-Sieve info

README.md

@@ -23,6 +23,7 @@ Additional Checks:
 3. SWF decompressed scan (new since version v0.8)
 4. SAM dump check
 5. DoublePulsar check - tries to detect DoublePulsar backdoor on port 445/tcp and 3389/tcp
+6. [PE-Sieve](https://github.com/hasherezade/pe-sieve) process check
 
 The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.
 
@@ -50,26 +51,6 @@ Download the latest version of LOKI from the [releases](https://github.com/Neo23
     5. Search in my [customer APT search engine](https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc) for file names or identifiers
   - Please report back false positives via the [Issues](https://github.com/Neo23x0/Loki/issues) section (mention the false positive indicator like a hash and/or filename and the rule name that triggered)
 
-## Included IOCs
-
-Loki currently includes the following IOCs:
-
-  - Equation Group Malware (Hashes, Yara Rules [by Kaspersky](http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) and [10 custom rules](http://pastebin.com/P0Fb9DPb) generated by us)
-  - Carbanak APT - [Kaspersky Report](http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) (Hashes, Filename IOCs - no service detection and Yara rules)
-  - Arid Viper APT - [Trendmicro](http://blog.trendmicro.com/trendlabs-security-intelligence/arid-viper-gaza-vs-israel-cyber-conflict/) (Hashes)
-  - Anthem APT Deep Panda Signatures (not officialy confirmed) (krebsonsecurity.com - see [Blog Post](http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/))
-  - Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
-  - Five Eyes QUERTY Malware (Regin Keylogger Module - see: [Kaspesky Report](https://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/))
-  - Skeleton Key Malware (other state-sponsored Malware) - Source: [Dell SecureWorks Counter Threat Unit(TM)](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/)
-  - WoolenGoldfish - (SHA1 hashes, Yara rules) [Trendmicro Report](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-woolen-goldfish-when-kittens-go-phishing/)
-  - OpCleaver (Iranian APT campaign) - Source: [Cylance](http://www.cylance.com/operation-cleaver/)
-  - More than 180 hack tool Yara rules - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
-  - More than 600 web shell Yara rules - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
-  - Numerous suspicious file name regex signatures - Source: [APT Scanner THOR](http://www.bsk-consulting.de/apt-scanner-thor/)
-  - Much more ... (cannot update the list as fast as I include new signatures)
-
-Loki is the new generic scanner that combines most of the features from my recently published scanners: [ReginScanner](https://github.com/Neo23x0/ReginScanner) and [SkeletonKeyScanner](https://github.com/Neo23x0/SkeletonKeyScanner).
-
 ## Update
 
 Since version 0.21.0 LOKI includes a separate updater tool named `loki-upgrader.exe` or `loki-upgrader.py`.
@@ -93,6 +74,46 @@ It allows to update the compiled loki.exe for Windows and the signature-base sou
 
 When running `loki.exe --update` it will create an new upgrader process and exits LOKI in order to replace the `loki.exe` with the newer one, which would be locked otherwise.
 
+# Usage
+
+```
+usage: loki.exe [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
+                [-a alert-level] [-w warning-level] [-n notice-level]
+                [--printAll] [--allreasons] [--noprocscan] [--nofilescan]
+                [--scriptanalysis] [--rootkit] [--noindicator] [--reginfs]
+                [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
+                [--update] [--debug]
+
+Loki - Simple IOC Scanner
+
+optional arguments:
+  -h, --help         show this help message and exit
+  -p path            Path to scan
+  -s kilobyte        Maximum file size to check in KB (default 5000 KB)
+  -l log-file        Log file
+  -r remote-loghost  Remote syslog system
+  -a alert-level     Alert score
+  -w warning-level   Warning score
+  -n notice-level    Notice score
+  --printAll         Print all files that are scanned
+  --allreasons       Print all reasons that caused the score
+  --noprocscan       Skip the process scan
+  --nofilescan       Skip the file scan
+  --scriptanalysis   Activate script analysis (beta)
+  --rootkit          Skip the rootkit check
+  --noindicator      Do not show a progress indicator
+  --reginfs          Do check for Regin virtual file system
+  --dontwait         Do not wait on exit
+  --intense          Intense scan mode (also scan unknown file types and all
+                     extensions)
+  --csv              Write CSV log format to STDOUT (machine prcoessing)
+  --onlyrelevant     Only print warnings or alerts
+  --nolog            Don't write a local log file
+  --update           Update the signatures from the "signature-base" sub
+                     repository
+  --debug            Debug output
+```
+
 ## Build LOKI
 
 No requirements if you use the pre-compiled executables in the `release` section of this repo.
@@ -161,52 +182,11 @@ optional arguments:
   --target TARGET    target where to store the compiled ruleset
 ```
 
-
 ### Requirements for the Threat Intel Receivers
 
 - [OTX Python SDK](https://github.com/AlienVault-Labs/OTX-Python-SDK)
 - [pyMISP](https://github.com/CIRCL/PyMISP)
 
-# Usage
-
-```
-usage: loki.exe [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
-                [-a alert-level] [-w warning-level] [-n notice-level]
-                [--printAll] [--allreasons] [--noprocscan] [--nofilescan]
-                [--scriptanalysis] [--rootkit] [--noindicator] [--reginfs]
-                [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
-                [--update] [--debug]
-
-Loki - Simple IOC Scanner
-
-optional arguments:
-  -h, --help         show this help message and exit
-  -p path            Path to scan
-  -s kilobyte        Maximum file size to check in KB (default 5000 KB)
-  -l log-file        Log file
-  -r remote-loghost  Remote syslog system
-  -a alert-level     Alert score
-  -w warning-level   Warning score
-  -n notice-level    Notice score
-  --printAll         Print all files that are scanned
-  --allreasons       Print all reasons that caused the score
-  --noprocscan       Skip the process scan
-  --nofilescan       Skip the file scan
-  --scriptanalysis   Activate script analysis (beta)
-  --rootkit          Skip the rootkit check
-  --noindicator      Do not show a progress indicator
-  --reginfs          Do check for Regin virtual file system
-  --dontwait         Do not wait on exit
-  --intense          Intense scan mode (also scan unknown file types and all
-                     extensions)
-  --csv              Write CSV log format to STDOUT (machine prcoessing)
-  --onlyrelevant     Only print warnings or alerts
-  --nolog            Don't write a local log file
-  --update           Update the signatures from the "signature-base" sub
-                     repository
-  --debug            Debug output
-```
-
 ## Signature and IOCs
 
 Since version 0.15 the Yara signatures reside in the sub-repository [signature-base](https://github.com/Neo23x0/signature-base). You can just download the LOKI release ZIP archive and run LOKI once to download the 'signature-base' sub repository with all the signatures. Since version 0.21.0 a separate updater is provided as `loki-upgrader.exe` or `loki-upgrader.py`. LOKI expects the IOCs and signatures of the `signature-base` repo in a subfolder named `signature-base`. 
@@ -265,6 +245,12 @@ The '''exclude.cfg''' looks like this:
     Sysvol\\Staging\\Nntfrs_cmp
     \\System Volume Information\\DFSR
 
+## PE-Sieve
+
+Since version 0.26 LOKI integrates @hasherezade's great tool [PE-Sieve](https://github.com/hasherezade/pe-sieve) to detect [process anomalies](https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/).
+
+The tool is initialized if LOKI finds it in the `./tools` sub folder during startup. 
+
 # Threat Intel Receivers
 
 Since version v0.10 LOKI includes various threat intel receivers using the public APIs of these services to retrieve and store the IOCs in a format that LOKI understands. It is no problem if these indicators overlap with the ones already included. Loki uses a filename regex or hash only once. (no preformance impact)