mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-18 02:24:04 +00:00
Merge branch 'feature/check-file-path'
This commit is contained in:
commit
083bc12351
|
@ -89,10 +89,6 @@ class Files(AndroidExtraction):
|
|||
return
|
||||
|
||||
for result in self.results:
|
||||
if self.indicators.check_file_name(result["path"]):
|
||||
self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"])
|
||||
self.detected.append(result)
|
||||
|
||||
if self.indicators.check_file_path(result["path"]):
|
||||
self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"])
|
||||
self.detected.append(result)
|
||||
|
|
|
@ -25,6 +25,7 @@ class Indicators:
|
|||
self.ioc_processes = []
|
||||
self.ioc_emails = []
|
||||
self.ioc_files = []
|
||||
self.ioc_file_paths = []
|
||||
self.ioc_files_sha256 = []
|
||||
self.ioc_app_ids = []
|
||||
self.ios_profile_ids = []
|
||||
|
@ -109,6 +110,9 @@ class Indicators:
|
|||
elif key == "file:name":
|
||||
self._add_indicator(ioc=value,
|
||||
iocs_list=self.ioc_files)
|
||||
elif key == "file:path":
|
||||
self._add_indicator(ioc=value,
|
||||
iocs_list=self.ioc_file_paths)
|
||||
elif key == "app:id":
|
||||
self._add_indicator(ioc=value,
|
||||
iocs_list=self.ioc_app_ids)
|
||||
|
@ -272,30 +276,26 @@ class Indicators:
|
|||
|
||||
return False
|
||||
|
||||
def check_file_name(self, file_path) -> bool:
|
||||
"""Check the provided file path against the list of file indicators.
|
||||
def check_file_name(self, file_name) -> bool:
|
||||
"""Check the provided file name against the list of file indicators.
|
||||
|
||||
:param file_path: File path or file name to check against file
|
||||
:param file_name: File name to check against file
|
||||
indicators
|
||||
:type file_path: str
|
||||
:returns: True if the file path matched an indicator, otherwise False
|
||||
:type file_name: str
|
||||
:returns: True if the file name matched an indicator, otherwise False
|
||||
:rtype: bool
|
||||
|
||||
"""
|
||||
if not file_path:
|
||||
if not file_name:
|
||||
return False
|
||||
|
||||
file_name = os.path.basename(file_path)
|
||||
if file_name in self.ioc_files:
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
# TODO: The difference between check_file_name() and check_file_path()
|
||||
# needs to be more explicit and clear. Probably, the two should just
|
||||
# be combined into one function.
|
||||
def check_file_path(self, file_path) -> bool:
|
||||
"""Check the provided file path against the list of file indicators.
|
||||
"""Check the provided file path against the list of file indicators (both path and name).
|
||||
|
||||
:param file_path: File path or file name to check against file
|
||||
indicators
|
||||
|
@ -307,7 +307,10 @@ class Indicators:
|
|||
if not file_path:
|
||||
return False
|
||||
|
||||
for ioc_file in self.ioc_files:
|
||||
if self.check_file_name(os.path.basename(file_path)):
|
||||
return True
|
||||
|
||||
for ioc_file in self.ioc_file_paths:
|
||||
# Strip any trailing slash from indicator paths to match directories.
|
||||
if file_path.startswith(ioc_file.rstrip("/")):
|
||||
return True
|
||||
|
|
|
@ -83,7 +83,7 @@ class Manifest(IOSExtraction):
|
|||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if self.indicators.check_file_name(result["relative_path"]):
|
||||
if self.indicators.check_file_path("/" + result["relative_path"]):
|
||||
self.log.warning("Found a known malicious file at path: %s", result["relative_path"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
|
|
@ -37,10 +37,6 @@ class Filesystem(IOSExtraction):
|
|||
return
|
||||
|
||||
for result in self.results:
|
||||
if self.indicators.check_file(result["path"]):
|
||||
self.log.warning("Found a known malicious file name at path: %s", result["path"])
|
||||
self.detected.append(result)
|
||||
|
||||
if self.indicators.check_file_path(result["path"]):
|
||||
self.log.warning("Found a known malicious file path at path: %s", result["path"])
|
||||
self.detected.append(result)
|
||||
|
|
|
@ -34,12 +34,19 @@ class ShutdownLog(IOSExtraction):
|
|||
return
|
||||
|
||||
for result in self.results:
|
||||
if self.indicators.check_file_path(result["client"]):
|
||||
self.log.warning("Found mention of a known malicious file \"%s\" in shutdown.log",
|
||||
result["client"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
for ioc in self.indicators.ioc_processes:
|
||||
parts = result["client"].split("/")
|
||||
if ioc in parts:
|
||||
self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log",
|
||||
ioc)
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
def process_shutdownlog(self, content):
|
||||
current_processes = []
|
||||
|
|
|
@ -41,13 +41,13 @@ class LocationdClients(IOSExtraction):
|
|||
|
||||
def serialize(self, record):
|
||||
records = []
|
||||
for ts in self.timestamps:
|
||||
if ts in record.keys():
|
||||
for timestamp in self.timestamps:
|
||||
if timestamp in record.keys():
|
||||
records.append({
|
||||
"timestamp": record[ts],
|
||||
"timestamp": record[timestamp],
|
||||
"module": self.__class__.__name__,
|
||||
"event": ts,
|
||||
"data": f"{ts} from {record['package']}"
|
||||
"event": timestamp,
|
||||
"data": f"{timestamp} from {record['package']}"
|
||||
})
|
||||
|
||||
return records
|
||||
|
@ -61,7 +61,31 @@ class LocationdClients(IOSExtraction):
|
|||
proc_name = parts[len(parts)-1]
|
||||
|
||||
if self.indicators.check_process(proc_name):
|
||||
self.log.warning("Found a suspicious process name in LocationD entry %s",
|
||||
result["package"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if "BundlePath" in result:
|
||||
if self.indicators.check_file_path(result["BundlePath"]):
|
||||
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||
result["BundlePath"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if "Executable" in result:
|
||||
if self.indicators.check_file_path(result["Executable"]):
|
||||
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||
result["Executable"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if "Registered" in result:
|
||||
if self.indicators.check_file_path(result["Registered"]):
|
||||
self.log.warning("Found a suspicious file path in Location D: %s",
|
||||
result["Registered"])
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
def _extract_locationd_entries(self, file_path):
|
||||
with open(file_path, "rb") as handle:
|
||||
|
|
Loading…
Reference in New Issue
Block a user