diff --git a/mvt/android/modules/adb/files.py b/mvt/android/modules/adb/files.py index d2d3b5c..63a5420 100644 --- a/mvt/android/modules/adb/files.py +++ b/mvt/android/modules/adb/files.py @@ -89,10 +89,6 @@ class Files(AndroidExtraction): return for result in self.results: - if self.indicators.check_file_name(result["path"]): - self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"]) - self.detected.append(result) - if self.indicators.check_file_path(result["path"]): self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"]) self.detected.append(result) diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 6cc0848..05d09d0 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -25,6 +25,7 @@ class Indicators: self.ioc_processes = [] self.ioc_emails = [] self.ioc_files = [] + self.ioc_file_paths = [] self.ioc_files_sha256 = [] self.ioc_app_ids = [] self.ios_profile_ids = [] @@ -109,6 +110,9 @@ class Indicators: elif key == "file:name": self._add_indicator(ioc=value, iocs_list=self.ioc_files) + elif key == "file:path": + self._add_indicator(ioc=value, + iocs_list=self.ioc_file_paths) elif key == "app:id": self._add_indicator(ioc=value, iocs_list=self.ioc_app_ids) @@ -272,30 +276,26 @@ class Indicators: return False - def check_file_name(self, file_path) -> bool: - """Check the provided file path against the list of file indicators. + def check_file_name(self, file_name) -> bool: + """Check the provided file name against the list of file indicators. - :param file_path: File path or file name to check against file + :param file_name: File name to check against file indicators - :type file_path: str - :returns: True if the file path matched an indicator, otherwise False + :type file_name: str + :returns: True if the file name matched an indicator, otherwise False :rtype: bool """ - if not file_path: + if not file_name: return False - file_name = os.path.basename(file_path) if file_name in self.ioc_files: return True return False - # TODO: The difference between check_file_name() and check_file_path() - # needs to be more explicit and clear. Probably, the two should just - # be combined into one function. def check_file_path(self, file_path) -> bool: - """Check the provided file path against the list of file indicators. + """Check the provided file path against the list of file indicators (both path and name). :param file_path: File path or file name to check against file indicators @@ -307,7 +307,10 @@ class Indicators: if not file_path: return False - for ioc_file in self.ioc_files: + if self.check_file_name(os.path.basename(file_path)): + return True + + for ioc_file in self.ioc_file_paths: # Strip any trailing slash from indicator paths to match directories. if file_path.startswith(ioc_file.rstrip("/")): return True diff --git a/mvt/ios/modules/backup/manifest.py b/mvt/ios/modules/backup/manifest.py index 87d7859..41352d0 100644 --- a/mvt/ios/modules/backup/manifest.py +++ b/mvt/ios/modules/backup/manifest.py @@ -83,7 +83,7 @@ class Manifest(IOSExtraction): self.detected.append(result) continue - if self.indicators.check_file_name(result["relative_path"]): + if self.indicators.check_file_path("/" + result["relative_path"]): self.log.warning("Found a known malicious file at path: %s", result["relative_path"]) self.detected.append(result) continue diff --git a/mvt/ios/modules/fs/filesystem.py b/mvt/ios/modules/fs/filesystem.py index be89191..c68ee82 100644 --- a/mvt/ios/modules/fs/filesystem.py +++ b/mvt/ios/modules/fs/filesystem.py @@ -37,10 +37,6 @@ class Filesystem(IOSExtraction): return for result in self.results: - if self.indicators.check_file(result["path"]): - self.log.warning("Found a known malicious file name at path: %s", result["path"]) - self.detected.append(result) - if self.indicators.check_file_path(result["path"]): self.log.warning("Found a known malicious file path at path: %s", result["path"]) self.detected.append(result) diff --git a/mvt/ios/modules/fs/shutdownlog.py b/mvt/ios/modules/fs/shutdownlog.py index 3a3fa8c..1893e26 100644 --- a/mvt/ios/modules/fs/shutdownlog.py +++ b/mvt/ios/modules/fs/shutdownlog.py @@ -34,12 +34,19 @@ class ShutdownLog(IOSExtraction): return for result in self.results: + if self.indicators.check_file_path(result["client"]): + self.log.warning("Found mention of a known malicious file \"%s\" in shutdown.log", + result["client"]) + self.detected.append(result) + continue + for ioc in self.indicators.ioc_processes: parts = result["client"].split("/") if ioc in parts: self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log", ioc) self.detected.append(result) + continue def process_shutdownlog(self, content): current_processes = [] diff --git a/mvt/ios/modules/mixed/locationd.py b/mvt/ios/modules/mixed/locationd.py index 8d97103..f20c43b 100644 --- a/mvt/ios/modules/mixed/locationd.py +++ b/mvt/ios/modules/mixed/locationd.py @@ -41,13 +41,13 @@ class LocationdClients(IOSExtraction): def serialize(self, record): records = [] - for ts in self.timestamps: - if ts in record.keys(): + for timestamp in self.timestamps: + if timestamp in record.keys(): records.append({ - "timestamp": record[ts], + "timestamp": record[timestamp], "module": self.__class__.__name__, - "event": ts, - "data": f"{ts} from {record['package']}" + "event": timestamp, + "data": f"{timestamp} from {record['package']}" }) return records @@ -61,7 +61,31 @@ class LocationdClients(IOSExtraction): proc_name = parts[len(parts)-1] if self.indicators.check_process(proc_name): + self.log.warning("Found a suspicious process name in LocationD entry %s", + result["package"]) self.detected.append(result) + continue + + if "BundlePath" in result: + if self.indicators.check_file_path(result["BundlePath"]): + self.log.warning("Found a suspicious file path in Location D: %s", + result["BundlePath"]) + self.detected.append(result) + continue + + if "Executable" in result: + if self.indicators.check_file_path(result["Executable"]): + self.log.warning("Found a suspicious file path in Location D: %s", + result["Executable"]) + self.detected.append(result) + continue + + if "Registered" in result: + if self.indicators.check_file_path(result["Registered"]): + self.log.warning("Found a suspicious file path in Location D: %s", + result["Registered"]) + self.detected.append(result) + continue def _extract_locationd_entries(self, file_path): with open(file_path, "rb") as handle: