mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-26 14:28:54 +00:00
Merge branch 'feature/check-file-path'
This commit is contained in:
commit
083bc12351
|
@ -89,10 +89,6 @@ class Files(AndroidExtraction):
|
||||||
return
|
return
|
||||||
|
|
||||||
for result in self.results:
|
for result in self.results:
|
||||||
if self.indicators.check_file_name(result["path"]):
|
|
||||||
self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"])
|
|
||||||
self.detected.append(result)
|
|
||||||
|
|
||||||
if self.indicators.check_file_path(result["path"]):
|
if self.indicators.check_file_path(result["path"]):
|
||||||
self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"])
|
self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"])
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
|
|
@ -25,6 +25,7 @@ class Indicators:
|
||||||
self.ioc_processes = []
|
self.ioc_processes = []
|
||||||
self.ioc_emails = []
|
self.ioc_emails = []
|
||||||
self.ioc_files = []
|
self.ioc_files = []
|
||||||
|
self.ioc_file_paths = []
|
||||||
self.ioc_files_sha256 = []
|
self.ioc_files_sha256 = []
|
||||||
self.ioc_app_ids = []
|
self.ioc_app_ids = []
|
||||||
self.ios_profile_ids = []
|
self.ios_profile_ids = []
|
||||||
|
@ -109,6 +110,9 @@ class Indicators:
|
||||||
elif key == "file:name":
|
elif key == "file:name":
|
||||||
self._add_indicator(ioc=value,
|
self._add_indicator(ioc=value,
|
||||||
iocs_list=self.ioc_files)
|
iocs_list=self.ioc_files)
|
||||||
|
elif key == "file:path":
|
||||||
|
self._add_indicator(ioc=value,
|
||||||
|
iocs_list=self.ioc_file_paths)
|
||||||
elif key == "app:id":
|
elif key == "app:id":
|
||||||
self._add_indicator(ioc=value,
|
self._add_indicator(ioc=value,
|
||||||
iocs_list=self.ioc_app_ids)
|
iocs_list=self.ioc_app_ids)
|
||||||
|
@ -272,30 +276,26 @@ class Indicators:
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def check_file_name(self, file_path) -> bool:
|
def check_file_name(self, file_name) -> bool:
|
||||||
"""Check the provided file path against the list of file indicators.
|
"""Check the provided file name against the list of file indicators.
|
||||||
|
|
||||||
:param file_path: File path or file name to check against file
|
:param file_name: File name to check against file
|
||||||
indicators
|
indicators
|
||||||
:type file_path: str
|
:type file_name: str
|
||||||
:returns: True if the file path matched an indicator, otherwise False
|
:returns: True if the file name matched an indicator, otherwise False
|
||||||
:rtype: bool
|
:rtype: bool
|
||||||
|
|
||||||
"""
|
"""
|
||||||
if not file_path:
|
if not file_name:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
file_name = os.path.basename(file_path)
|
|
||||||
if file_name in self.ioc_files:
|
if file_name in self.ioc_files:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# TODO: The difference between check_file_name() and check_file_path()
|
|
||||||
# needs to be more explicit and clear. Probably, the two should just
|
|
||||||
# be combined into one function.
|
|
||||||
def check_file_path(self, file_path) -> bool:
|
def check_file_path(self, file_path) -> bool:
|
||||||
"""Check the provided file path against the list of file indicators.
|
"""Check the provided file path against the list of file indicators (both path and name).
|
||||||
|
|
||||||
:param file_path: File path or file name to check against file
|
:param file_path: File path or file name to check against file
|
||||||
indicators
|
indicators
|
||||||
|
@ -307,7 +307,10 @@ class Indicators:
|
||||||
if not file_path:
|
if not file_path:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
for ioc_file in self.ioc_files:
|
if self.check_file_name(os.path.basename(file_path)):
|
||||||
|
return True
|
||||||
|
|
||||||
|
for ioc_file in self.ioc_file_paths:
|
||||||
# Strip any trailing slash from indicator paths to match directories.
|
# Strip any trailing slash from indicator paths to match directories.
|
||||||
if file_path.startswith(ioc_file.rstrip("/")):
|
if file_path.startswith(ioc_file.rstrip("/")):
|
||||||
return True
|
return True
|
||||||
|
|
|
@ -83,7 +83,7 @@ class Manifest(IOSExtraction):
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if self.indicators.check_file_name(result["relative_path"]):
|
if self.indicators.check_file_path("/" + result["relative_path"]):
|
||||||
self.log.warning("Found a known malicious file at path: %s", result["relative_path"])
|
self.log.warning("Found a known malicious file at path: %s", result["relative_path"])
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
continue
|
continue
|
||||||
|
|
|
@ -37,10 +37,6 @@ class Filesystem(IOSExtraction):
|
||||||
return
|
return
|
||||||
|
|
||||||
for result in self.results:
|
for result in self.results:
|
||||||
if self.indicators.check_file(result["path"]):
|
|
||||||
self.log.warning("Found a known malicious file name at path: %s", result["path"])
|
|
||||||
self.detected.append(result)
|
|
||||||
|
|
||||||
if self.indicators.check_file_path(result["path"]):
|
if self.indicators.check_file_path(result["path"]):
|
||||||
self.log.warning("Found a known malicious file path at path: %s", result["path"])
|
self.log.warning("Found a known malicious file path at path: %s", result["path"])
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
|
|
@ -34,12 +34,19 @@ class ShutdownLog(IOSExtraction):
|
||||||
return
|
return
|
||||||
|
|
||||||
for result in self.results:
|
for result in self.results:
|
||||||
|
if self.indicators.check_file_path(result["client"]):
|
||||||
|
self.log.warning("Found mention of a known malicious file \"%s\" in shutdown.log",
|
||||||
|
result["client"])
|
||||||
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
for ioc in self.indicators.ioc_processes:
|
for ioc in self.indicators.ioc_processes:
|
||||||
parts = result["client"].split("/")
|
parts = result["client"].split("/")
|
||||||
if ioc in parts:
|
if ioc in parts:
|
||||||
self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log",
|
self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log",
|
||||||
ioc)
|
ioc)
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
def process_shutdownlog(self, content):
|
def process_shutdownlog(self, content):
|
||||||
current_processes = []
|
current_processes = []
|
||||||
|
|
|
@ -41,13 +41,13 @@ class LocationdClients(IOSExtraction):
|
||||||
|
|
||||||
def serialize(self, record):
|
def serialize(self, record):
|
||||||
records = []
|
records = []
|
||||||
for ts in self.timestamps:
|
for timestamp in self.timestamps:
|
||||||
if ts in record.keys():
|
if timestamp in record.keys():
|
||||||
records.append({
|
records.append({
|
||||||
"timestamp": record[ts],
|
"timestamp": record[timestamp],
|
||||||
"module": self.__class__.__name__,
|
"module": self.__class__.__name__,
|
||||||
"event": ts,
|
"event": timestamp,
|
||||||
"data": f"{ts} from {record['package']}"
|
"data": f"{timestamp} from {record['package']}"
|
||||||
})
|
})
|
||||||
|
|
||||||
return records
|
return records
|
||||||
|
@ -61,7 +61,31 @@ class LocationdClients(IOSExtraction):
|
||||||
proc_name = parts[len(parts)-1]
|
proc_name = parts[len(parts)-1]
|
||||||
|
|
||||||
if self.indicators.check_process(proc_name):
|
if self.indicators.check_process(proc_name):
|
||||||
|
self.log.warning("Found a suspicious process name in LocationD entry %s",
|
||||||
|
result["package"])
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
|
if "BundlePath" in result:
|
||||||
|
if self.indicators.check_file_path(result["BundlePath"]):
|
||||||
|
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||||
|
result["BundlePath"])
|
||||||
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
|
if "Executable" in result:
|
||||||
|
if self.indicators.check_file_path(result["Executable"]):
|
||||||
|
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||||
|
result["Executable"])
|
||||||
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
|
if "Registered" in result:
|
||||||
|
if self.indicators.check_file_path(result["Registered"]):
|
||||||
|
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||||
|
result["Registered"])
|
||||||
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
def _extract_locationd_entries(self, file_path):
|
def _extract_locationd_entries(self, file_path):
|
||||||
with open(file_path, "rb") as handle:
|
with open(file_path, "rb") as handle:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user