crt0mega
/
mvt
mirror of https://github.com/mvt-project/mvt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improves management of file path indicators

This commit is contained in:
tek 2022-01-18 15:50:31 +01:00
parent 798805c583
commit 38bb583a9e
6 changed files with 52 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mvt/android/modules/adb/files.py
View File

@ -89,10 +89,6 @@ class Files(AndroidExtraction):
return
for result in self.results:
if self.indicators.check_file_name(result["path"]):
self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"])
self.detected.append(result)
if self.indicators.check_file_path(result["path"]):
self.log.warning("Found a known suspicous file at path: \"%s\"", result["path"])
self.detected.append(result)

27
mvt/common/indicators.py
View File

@ -25,6 +25,7 @@ class Indicators:
self.ioc_processes = []
self.ioc_emails = []
self.ioc_files = []
self.ioc_file_paths = []
self.ioc_files_sha256 = []
self.ioc_app_ids = []
self.ios_profile_ids = []
@ -108,6 +109,9 @@ class Indicators:
elif key == "file:name":
self._add_indicator(ioc=value,
iocs_list=self.ioc_files)
elif key == "file:path":
self._add_indicator(ioc=value,
iocs_list=self.ioc_file_paths)
elif key == "app:id":
self._add_indicator(ioc=value,
iocs_list=self.ioc_app_ids)
@ -271,30 +275,26 @@ class Indicators:
return False
def check_file_name(self, file_path) -> bool:
"""Check the provided file path against the list of file indicators.
def check_file_name(self, file_name) -> bool:
"""Check the provided file name against the list of file indicators.
:param file_path: File path or file name to check against file
:param file_name: File name to check against file
indicators
:type file_path: str
:returns: True if the file path matched an indicator, otherwise False
:type file_name: str
:returns: True if the file name matched an indicator, otherwise False
:rtype: bool
"""
if not file_path:
if not file_name:
return False
file_name = os.path.basename(file_path)
if file_name in self.ioc_files:
return True
return False
# TODO: The difference between check_file_name() and check_file_path()
# needs to be more explicit and clear. Probably, the two should just
# be combined into one function.
def check_file_path(self, file_path) -> bool:
"""Check the provided file path against the list of file indicators.
"""Check the provided file path against the list of file indicators (both path and name).
:param file_path: File path or file name to check against file
indicators
@ -306,7 +306,10 @@ class Indicators:
if not file_path:
return False
for ioc_file in self.ioc_files:
if self.check_file_name(os.path.basename(file_path)):
return True
for ioc_file in self.ioc_file_paths:
# Strip any trailing slash from indicator paths to match directories.
if file_path.startswith(ioc_file.rstrip("/")):
return True

2
mvt/ios/modules/backup/manifest.py
View File

@ -83,7 +83,7 @@ class Manifest(IOSExtraction):
self.detected.append(result)
continue
if self.indicators.check_file_name(result["relative_path"]):
if self.indicators.check_file_path("/" + result["relative_path"]):
self.log.warning("Found a known malicious file at path: %s", result["relative_path"])
self.detected.append(result)
continue

4
mvt/ios/modules/fs/filesystem.py
View File

@ -37,10 +37,6 @@ class Filesystem(IOSExtraction):
return
for result in self.results:
if self.indicators.check_file(result["path"]):
self.log.warning("Found a known malicious file name at path: %s", result["path"])
self.detected.append(result)
if self.indicators.check_file_path(result["path"]):
self.log.warning("Found a known malicious file path at path: %s", result["path"])
self.detected.append(result)

7
mvt/ios/modules/fs/shutdownlog.py
View File

@ -34,12 +34,19 @@ class ShutdownLog(IOSExtraction):
return
for result in self.results:
if self.indicators.check_file_path(result["client"]):
self.log.warning("Found mention of a known malicious file \"%s\" in shutdown.log",
result["client"])
self.detected.append(result)
continue
for ioc in self.indicators.ioc_processes:
parts = result["client"].split("/")
if ioc in parts:
self.log.warning("Found mention of a known malicious process \"%s\" in shutdown.log",
ioc)
self.detected.append(result)
continue
def process_shutdownlog(self, content):
current_processes = []

34
mvt/ios/modules/mixed/locationd.py
View File

@ -41,13 +41,13 @@ class LocationdClients(IOSExtraction):
def serialize(self, record):
records = []
for ts in self.timestamps:
if ts in record.keys():
for timestamp in self.timestamps:
if timestamp in record.keys():
records.append({
"timestamp": record[ts],
"timestamp": record[timestamp],
"module": self.__class__.__name__,
"event": ts,
"data": f"{ts} from {record['package']}"
"event": timestamp,
"data": f"{timestamp} from {record['package']}"
})
return records
@ -61,7 +61,31 @@ class LocationdClients(IOSExtraction):
proc_name = parts[len(parts)-1]
if self.indicators.check_process(proc_name):
self.log.warning("Found a suspicious process name in LocationD entry %s",
result["package"])
self.detected.append(result)
continue
if "BundlePath" in result:
if self.indicators.check_file_path(result["BundlePath"]):
self.log.warning("Found a suspicious file path in Location D: %s",
result["BundlePath"])
self.detected.append(result)
continue
if "Executable" in result:
if self.indicators.check_file_path(result["Executable"]):
self.log.warning("Found a suspicious file path in Location D: %s",
result["Executable"])
self.detected.append(result)
continue
if "Registered" in result:
if self.indicators.check_file_path(result["Registered"]):
self.log.warning("Found a suspicious file path in Location D: %s",
result["Registered"])
self.detected.append(result)
continue
def _extract_locationd_entries(self, file_path):
with open(file_path, "rb") as handle: