From e0514b20dd6db1248f0439aa5dc382cbf8b96e0d Mon Sep 17 00:00:00 2001 From: tek Date: Mon, 10 Jan 2022 16:58:12 +0100 Subject: [PATCH 01/16] Catches exception in Shortcuts module if the table does not exist --- mvt/ios/modules/mixed/shortcuts.py | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/mvt/ios/modules/mixed/shortcuts.py b/mvt/ios/modules/mixed/shortcuts.py index 77711fd..398bfd0 100644 --- a/mvt/ios/modules/mixed/shortcuts.py +++ b/mvt/ios/modules/mixed/shortcuts.py @@ -57,17 +57,25 @@ class Shortcuts(IOSExtraction): conn = sqlite3.connect(self.file_path) conn.text_factory = bytes cur = conn.cursor() - cur.execute(""" - SELECT - ZSHORTCUT.Z_PK as "shortcut_id", - ZSHORTCUT.ZNAME as "shortcut_name", - ZSHORTCUT.ZCREATIONDATE as "created_date", - ZSHORTCUT.ZMODIFICATIONDATE as "modified_date", - ZSHORTCUT.ZACTIONSDESCRIPTION as "description", - ZSHORTCUTACTIONS.ZDATA as "action_data" - FROM ZSHORTCUT - LEFT JOIN ZSHORTCUTACTIONS ON ZSHORTCUTACTIONS.ZSHORTCUT == ZSHORTCUT.Z_PK; - """) + try: + cur.execute(""" + SELECT + ZSHORTCUT.Z_PK as "shortcut_id", + ZSHORTCUT.ZNAME as "shortcut_name", + ZSHORTCUT.ZCREATIONDATE as "created_date", + ZSHORTCUT.ZMODIFICATIONDATE as "modified_date", + ZSHORTCUT.ZACTIONSDESCRIPTION as "description", + ZSHORTCUTACTIONS.ZDATA as "action_data" + FROM ZSHORTCUT + LEFT JOIN ZSHORTCUTACTIONS ON ZSHORTCUTACTIONS.ZSHORTCUT == ZSHORTCUT.Z_PK; + """) + except sqlite3.OperationalError: + # Table ZSHORTCUT does not exist + self.log.info("Invalid shortcut database format, skipping...") + cur.close() + conn.close() + return + names = [description[0] for description in cur.description] for item in cur: From 15fbedccc9df4b8b936a9cf29e9e676336500239 Mon Sep 17 00:00:00 2001 From: tek Date: Mon, 10 Jan 2022 18:09:31 +0100 Subject: [PATCH 02/16] Fixes a minor bug in WebkitResourceLoadStatistics --- mvt/ios/modules/mixed/webkit_resource_load_statistics.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py index fb93a72..fa4df9b 100644 --- a/mvt/ios/modules/mixed/webkit_resource_load_statistics.py +++ b/mvt/ios/modules/mixed/webkit_resource_load_statistics.py @@ -77,7 +77,8 @@ class WebkitResourceLoadStatistics(IOSExtraction): for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH): db_path = self._get_backup_file_from_id(backup_file["file_id"]) key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}" - self._process_observations_db(db_path=db_path, key=key) + if db_path: + self._process_observations_db(db_path=db_path, key=key) except Exception as e: self.log.info("Unable to search for WebKit observations.db: %s", e) elif self.is_fs_dump: From 16a0de3af425208ac0ec22b162e76c7306f01cb5 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 11 Jan 2022 15:16:26 +0100 Subject: [PATCH 03/16] Added new module to highlight installed accessibility services --- mvt/android/modules/adb/__init__.py | 3 +- .../modules/adb/dumpsys_accessibility.py | 53 +++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 mvt/android/modules/adb/dumpsys_accessibility.py diff --git a/mvt/android/modules/adb/__init__.py b/mvt/android/modules/adb/__init__.py index 2784ce2..eb583d7 100644 --- a/mvt/android/modules/adb/__init__.py +++ b/mvt/android/modules/adb/__init__.py @@ -4,6 +4,7 @@ # https://license.mvt.re/1.1/ from .chrome_history import ChromeHistory +from .dumpsys_accessibility import DumpsysAccessibility from .dumpsys_batterystats import DumpsysBatterystats from .dumpsys_full import DumpsysFull from .dumpsys_packages import DumpsysPackages @@ -18,6 +19,6 @@ from .sms import SMS from .whatsapp import Whatsapp ADB_MODULES = [ChromeHistory, SMS, Whatsapp, Processes, - DumpsysBatterystats, DumpsysProcstats, + DumpsysAccessibility, DumpsysBatterystats, DumpsysProcstats, DumpsysPackages, DumpsysReceivers, DumpsysFull, Packages, RootBinaries, Logcat, Files] diff --git a/mvt/android/modules/adb/dumpsys_accessibility.py b/mvt/android/modules/adb/dumpsys_accessibility.py new file mode 100644 index 0000000..83d6673 --- /dev/null +++ b/mvt/android/modules/adb/dumpsys_accessibility.py @@ -0,0 +1,53 @@ +# Mobile Verification Toolkit (MVT) +# Copyright (c) 2021 The MVT Project Authors. +# Use of this software is governed by the MVT License 1.1 that can be found at +# https://license.mvt.re/1.1/ + +import logging +import os +import io + +from .base import AndroidExtraction + +log = logging.getLogger(__name__) + + +class DumpsysAccessibility(AndroidExtraction): + """This module extracts stats on accessibility.""" + + def __init__(self, file_path=None, base_folder=None, output_folder=None, + serial=None, fast_mode=False, log=None, results=[]): + super().__init__(file_path=file_path, base_folder=base_folder, + output_folder=output_folder, fast_mode=fast_mode, + log=log, results=results) + + def run(self): + self._adb_connect() + + stats = self._adb_command("dumpsys accessibility") + + in_services = False + for line in stats.split("\n"): + if line.strip().startswith("installed services:"): + in_services = True + continue + + if in_services and line.strip() == "}": + break + + if not in_services: + continue + + service = line.split(":")[1].strip() + log.info("Found installed accessibility service \"%s\"", service) + + if self.output_folder: + acc_path = os.path.join(self.output_folder, + "dumpsys_accessibility.txt") + with io.open(acc_path, "w", encoding="utf-8") as handle: + handle.write(stats) + + log.info("Records from dumpsys accessibility stored at %s", + acc_path) + + self._adb_disconnect() From 637aebcd8934d2db76928ecd8355068b71b28173 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 11 Jan 2022 15:53:10 +0100 Subject: [PATCH 04/16] Small cleanup --- mvt/android/modules/adb/dumpsys_accessibility.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mvt/android/modules/adb/dumpsys_accessibility.py b/mvt/android/modules/adb/dumpsys_accessibility.py index 83d6673..eb03122 100644 --- a/mvt/android/modules/adb/dumpsys_accessibility.py +++ b/mvt/android/modules/adb/dumpsys_accessibility.py @@ -32,12 +32,12 @@ class DumpsysAccessibility(AndroidExtraction): in_services = True continue - if in_services and line.strip() == "}": - break - if not in_services: continue + if line.strip() == "}": + break + service = line.split(":")[1].strip() log.info("Found installed accessibility service \"%s\"", service) From f63cb585b29e0fd448fc5509312575ea19dfa353 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 11 Jan 2022 15:59:01 +0100 Subject: [PATCH 05/16] Shortened command to download-iocs --- docs/iocs.md | 2 +- mvt/android/cli.py | 4 ++-- mvt/ios/cli.py | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/iocs.md b/docs/iocs.md index c05b887..870e283 100644 --- a/docs/iocs.md +++ b/docs/iocs.md @@ -41,6 +41,6 @@ export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2" - [Predator from Cytrox](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-12-16_cytrox/cytrox.stix2)) - [This repository](https://github.com/Te-k/stalkerware-indicators) contains IOCs for Android stalkerware including [a STIX MVT-compatible file](https://raw.githubusercontent.com/Te-k/stalkerware-indicators/master/stalkerware.stix2). -You can automaticallly download the latest public indicator files with the command `mvt-ios download-indicators` or `mvt-android download-indicators`. +You can automaticallly download the latest public indicator files with the command `mvt-ios download-iocs` or `mvt-android download-iocs`. Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs. diff --git a/mvt/android/cli.py b/mvt/android/cli.py index b8d3e19..d262a19 100644 --- a/mvt/android/cli.py +++ b/mvt/android/cli.py @@ -200,8 +200,8 @@ def check_backup(ctx, iocs, output, backup_path, serial): run_module(m) #============================================================================== -# Command: download-indicators +# Command: download-iocs #============================================================================== -@cli.command("download-indicators", help="Download public STIX2 indicators") +@cli.command("download-iocs", help="Download public STIX2 indicators") def download_indicators(): download_indicators_files(log) diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index f803abd..045d7d1 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -296,8 +296,8 @@ def check_iocs(ctx, iocs, list_modules, module, folder): continue #============================================================================== -# Command: download-indicators +# Command: download-iocs #============================================================================== -@cli.command("download-indicators", help="Download public STIX2 indicators") +@cli.command("download-iocs", help="Download public STIX2 indicators") def download_indicators(): download_indicators_files(log) From 3084876f312137ae06f431d680d8357f0788458c Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 11 Jan 2022 16:02:01 +0100 Subject: [PATCH 06/16] Removing unused imports, fixing conditions, new lines --- mvt/android/cli.py | 1 + mvt/android/modules/adb/files.py | 9 ++++----- mvt/ios/cli.py | 2 +- mvt/ios/modules/backup/configuration_profiles.py | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mvt/android/cli.py b/mvt/android/cli.py index d262a19..33649da 100644 --- a/mvt/android/cli.py +++ b/mvt/android/cli.py @@ -199,6 +199,7 @@ def check_backup(ctx, iocs, output, backup_path, serial): run_module(m) + #============================================================================== # Command: download-iocs #============================================================================== diff --git a/mvt/android/modules/adb/files.py b/mvt/android/modules/adb/files.py index 926a0a0..bbdd2a1 100644 --- a/mvt/android/modules/adb/files.py +++ b/mvt/android/modules/adb/files.py @@ -4,11 +4,10 @@ # https://license.mvt.re/1.1/ import logging -import os import stat import datetime -from mvt.common.utils import check_for_links, convert_timestamp_to_iso +from mvt.common.utils import convert_timestamp_to_iso from .base import AndroidExtraction @@ -31,8 +30,8 @@ class Files(AndroidExtraction): # Run find command with correct args and parse results. # Check that full file printf options are suppported on first run. - if self.full_find == None: - output = self._adb_command(f"find '/' -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2> /dev/null") + if self.full_find is None: + output = self._adb_command("find '/' -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2> /dev/null") if not (output or output.strip().splitlines()): # Full find command failed to generate output, fallback to basic file arguments self.full_find = False @@ -40,7 +39,7 @@ class Files(AndroidExtraction): self.full_find = True found_files = [] - if self.full_find == True: + if self.full_find is True: # Run full file command and collect additonal file information. output = self._adb_command(f"find '{file_path}' -printf '%T@ %m %s %u %g %p\n' 2> /dev/null") for file_line in output.splitlines(): diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index 045d7d1..2bf6474 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -5,7 +5,6 @@ import logging import os -import io import click from rich.logging import RichHandler @@ -295,6 +294,7 @@ def check_iocs(ctx, iocs, list_modules, module, folder): except NotImplementedError: continue + #============================================================================== # Command: download-iocs #============================================================================== diff --git a/mvt/ios/modules/backup/configuration_profiles.py b/mvt/ios/modules/backup/configuration_profiles.py index 85f8d83..97936b0 100644 --- a/mvt/ios/modules/backup/configuration_profiles.py +++ b/mvt/ios/modules/backup/configuration_profiles.py @@ -70,7 +70,7 @@ class ConfigurationProfiles(IOSExtraction): with open(conf_file_path, "rb") as handle: try: conf_plist = plistlib.load(handle) - except: + except Exception: conf_plist = {} if "SignerCerts" in conf_plist: From 11bc916854cfff2593c3122c586a5391b3894963 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 11 Jan 2022 16:02:44 +0100 Subject: [PATCH 07/16] Sorted imports --- mvt/android/cli.py | 9 ++++----- mvt/android/modules/adb/dumpsys_accessibility.py | 2 +- mvt/android/modules/adb/files.py | 2 +- mvt/common/indicators.py | 1 + mvt/ios/cli.py | 9 ++++----- mvt/ios/modules/backup/configuration_profiles.py | 1 + mvt/ios/modules/mixed/__init__.py | 2 +- mvt/ios/modules/mixed/shortcuts.py | 7 ++++--- 8 files changed, 17 insertions(+), 16 deletions(-) diff --git a/mvt/android/cli.py b/mvt/android/cli.py index 33649da..0daad48 100644 --- a/mvt/android/cli.py +++ b/mvt/android/cli.py @@ -9,11 +9,10 @@ import os import click from rich.logging import RichHandler -from mvt.common.help import HELP_MSG_MODULE, HELP_MSG_IOC -from mvt.common.help import HELP_MSG_FAST, HELP_MSG_OUTPUT, HELP_MSG_LIST_MODULES -from mvt.common.help import HELP_MSG_SERIAL -from mvt.common.indicators import Indicators -from mvt.common.indicators import download_indicators_files +from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC, + HELP_MSG_LIST_MODULES, HELP_MSG_MODULE, + HELP_MSG_OUTPUT, HELP_MSG_SERIAL) +from mvt.common.indicators import Indicators, download_indicators_files from mvt.common.logo import logo from mvt.common.module import run_module, save_timeline diff --git a/mvt/android/modules/adb/dumpsys_accessibility.py b/mvt/android/modules/adb/dumpsys_accessibility.py index eb03122..1e2419e 100644 --- a/mvt/android/modules/adb/dumpsys_accessibility.py +++ b/mvt/android/modules/adb/dumpsys_accessibility.py @@ -3,9 +3,9 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ +import io import logging import os -import io from .base import AndroidExtraction diff --git a/mvt/android/modules/adb/files.py b/mvt/android/modules/adb/files.py index bbdd2a1..41887ba 100644 --- a/mvt/android/modules/adb/files.py +++ b/mvt/android/modules/adb/files.py @@ -3,9 +3,9 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ +import datetime import logging import stat -import datetime from mvt.common.utils import convert_timestamp_to_iso diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index d554b4d..995b242 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -6,6 +6,7 @@ import io import json import os + import requests from appdirs import user_data_dir diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index 2bf6474..d20bfef 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -10,11 +10,10 @@ import click from rich.logging import RichHandler from rich.prompt import Prompt -from mvt.common.help import HELP_MSG_MODULE, HELP_MSG_IOC -from mvt.common.help import HELP_MSG_FAST, HELP_MSG_OUTPUT -from mvt.common.help import HELP_MSG_LIST_MODULES -from mvt.common.indicators import Indicators -from mvt.common.indicators import download_indicators_files +from mvt.common.help import (HELP_MSG_FAST, HELP_MSG_IOC, + HELP_MSG_LIST_MODULES, HELP_MSG_MODULE, + HELP_MSG_OUTPUT) +from mvt.common.indicators import Indicators, download_indicators_files from mvt.common.logo import logo from mvt.common.module import run_module, save_timeline from mvt.common.options import MutuallyExclusiveOption diff --git a/mvt/ios/modules/backup/configuration_profiles.py b/mvt/ios/modules/backup/configuration_profiles.py index 97936b0..0c4fc06 100644 --- a/mvt/ios/modules/backup/configuration_profiles.py +++ b/mvt/ios/modules/backup/configuration_profiles.py @@ -7,6 +7,7 @@ import os import plistlib from base64 import b64encode + from mvt.common.utils import convert_timestamp_to_iso from ..base import IOSExtraction diff --git a/mvt/ios/modules/mixed/__init__.py b/mvt/ios/modules/mixed/__init__.py index e8323b7..8cb3b08 100644 --- a/mvt/ios/modules/mixed/__init__.py +++ b/mvt/ios/modules/mixed/__init__.py @@ -16,13 +16,13 @@ from .net_datausage import Datausage from .osanalytics_addaily import OSAnalyticsADDaily from .safari_browserstate import SafariBrowserState from .safari_history import SafariHistory +from .shortcuts import Shortcuts from .sms import SMS from .sms_attachments import SMSAttachments from .tcc import TCC from .webkit_resource_load_statistics import WebkitResourceLoadStatistics from .webkit_session_resource_log import WebkitSessionResourceLog from .whatsapp import Whatsapp -from .shortcuts import Shortcuts MIXED_MODULES = [Calls, ChromeFavicon, ChromeHistory, Contacts, FirefoxFavicon, FirefoxHistory, IDStatusCache, InteractionC, LocationdClients, diff --git a/mvt/ios/modules/mixed/shortcuts.py b/mvt/ios/modules/mixed/shortcuts.py index 398bfd0..832b61e 100644 --- a/mvt/ios/modules/mixed/shortcuts.py +++ b/mvt/ios/modules/mixed/shortcuts.py @@ -3,12 +3,13 @@ # Use of this software is governed by the MVT License 1.1 that can be found at # https://license.mvt.re/1.1/ -import sqlite3 import io -import plistlib import itertools +import plistlib +import sqlite3 -from mvt.common.utils import check_for_links, convert_mactime_to_unix, convert_timestamp_to_iso +from mvt.common.utils import (check_for_links, convert_mactime_to_unix, + convert_timestamp_to_iso) from ..base import IOSExtraction From 146f2ae57d56b67a3dce0f28c562552643aabe29 Mon Sep 17 00:00:00 2001 From: Nex Date: Wed, 12 Jan 2022 16:02:13 +0100 Subject: [PATCH 08/16] Renaming check function for consistency --- mvt/android/modules/adb/files.py | 2 +- mvt/common/indicators.py | 3 ++- mvt/ios/modules/backup/manifest.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/mvt/android/modules/adb/files.py b/mvt/android/modules/adb/files.py index 41887ba..d2d3b5c 100644 --- a/mvt/android/modules/adb/files.py +++ b/mvt/android/modules/adb/files.py @@ -89,7 +89,7 @@ class Files(AndroidExtraction): return for result in self.results: - if self.indicators.check_filename(result["path"]): + if self.indicators.check_file_name(result["path"]): self.log.warning("Found a known suspicous filename at path: \"%s\"", result["path"]) self.detected.append(result) diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 995b242..7683bf4 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -271,7 +271,7 @@ class Indicators: return False - def check_filename(self, file_path) -> bool: + def check_file_name(self, file_path) -> bool: """Check the provided file path against the list of file indicators. :param file_path: File path or file name to check against file @@ -307,6 +307,7 @@ class Indicators: # Strip any trailing slash from indicator paths to match directories. if file_path.startswith(ioc_file.rstrip("/")): return True + return False def check_profile(self, profile_uuid) -> bool: diff --git a/mvt/ios/modules/backup/manifest.py b/mvt/ios/modules/backup/manifest.py index 2cce637..87d7859 100644 --- a/mvt/ios/modules/backup/manifest.py +++ b/mvt/ios/modules/backup/manifest.py @@ -83,7 +83,7 @@ class Manifest(IOSExtraction): self.detected.append(result) continue - if self.indicators.check_filename(result["relative_path"]): + if self.indicators.check_file_name(result["relative_path"]): self.log.warning("Found a known malicious file at path: %s", result["relative_path"]) self.detected.append(result) continue From 33efeda90adba6f1957034e2cb91471d92b8e9f0 Mon Sep 17 00:00:00 2001 From: Nex Date: Wed, 12 Jan 2022 16:10:15 +0100 Subject: [PATCH 09/16] Added TODO note --- mvt/common/indicators.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 7683bf4..100f3cc 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -290,6 +290,9 @@ class Indicators: return False + # TODO: The difference between check_file_name() and check_file_path() + # needs to be more explicit and clear. Probably, the two should just + # be combined into one function. def check_file_path(self, file_path) -> bool: """Check the provided file path against the list of file indicators. From 737007afdb9aa4cf30a9afafb4b348a3615ac6f0 Mon Sep 17 00:00:00 2001 From: Nex Date: Wed, 12 Jan 2022 16:18:13 +0100 Subject: [PATCH 10/16] Bumped version --- mvt/common/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mvt/common/version.py b/mvt/common/version.py index 1787442..ede9645 100644 --- a/mvt/common/version.py +++ b/mvt/common/version.py @@ -6,7 +6,7 @@ import requests from packaging import version -MVT_VERSION = "1.4.1" +MVT_VERSION = "1.4.2" def check_for_updates(): From a2f8030cce263539deafc3579cfb6c03c3475c55 Mon Sep 17 00:00:00 2001 From: Nex Date: Fri, 14 Jan 2022 01:41:48 +0100 Subject: [PATCH 11/16] Added new iOS versions --- mvt/ios/versions.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mvt/ios/versions.py b/mvt/ios/versions.py index a1fe2d0..13c63c8 100644 --- a/mvt/ios/versions.py +++ b/mvt/ios/versions.py @@ -234,6 +234,8 @@ IPHONE_IOS_VERSIONS = [ {"build": "19A404", "version": "15.0.2"}, {"build": "19B74", "version": "15.1"}, {"build": "19B81", "version": "15.1.1"}, + {"build": "19C56", "version": "15.2"}, + {"build": "19C63", "version": "15.2.1"}, ] From 4c906ad52eb87b238074306637449fc0b9af2b35 Mon Sep 17 00:00:00 2001 From: Nex Date: Fri, 14 Jan 2022 01:52:57 +0100 Subject: [PATCH 12/16] Renamed download iocs function --- mvt/ios/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index d20bfef..cef65a2 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -298,5 +298,5 @@ def check_iocs(ctx, iocs, list_modules, module, folder): # Command: download-iocs #============================================================================== @cli.command("download-iocs", help="Download public STIX2 indicators") -def download_indicators(): +def download_iocs(): download_indicators_files(log) From 8a707c288ac8b440737105670531780d82a5574d Mon Sep 17 00:00:00 2001 From: Nex Date: Fri, 14 Jan 2022 01:53:10 +0100 Subject: [PATCH 13/16] Bumped version --- mvt/common/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mvt/common/version.py b/mvt/common/version.py index ede9645..128c4f9 100644 --- a/mvt/common/version.py +++ b/mvt/common/version.py @@ -6,7 +6,7 @@ import requests from packaging import version -MVT_VERSION = "1.4.2" +MVT_VERSION = "1.4.3" def check_for_updates(): From adbd95c559c627a453664c912b8696faf2b77215 Mon Sep 17 00:00:00 2001 From: Nex Date: Fri, 14 Jan 2022 02:01:59 +0100 Subject: [PATCH 14/16] Dots --- mvt/common/indicators.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index 100f3cc..ec1c6f8 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -45,7 +45,7 @@ class Indicators: def _check_stix2_env_variable(self): """ - Checks if a variable MVT_STIX2 contains path to STIX Files + Checks if a variable MVT_STIX2 contains path to STIX Files. """ if "MVT_STIX2" not in os.environ: return False @@ -59,7 +59,7 @@ class Indicators: def load_indicators_files(self, files): """ - Load a list of indicators files + Load a list of indicators files. """ for file_path in files: if os.path.isfile(file_path): @@ -67,7 +67,7 @@ class Indicators: else: self.log.warning("This indicators file %s does not exist", file_path) - # Load downloaded indicators and any indicators from env variable + # Load downloaded indicators and any indicators from env variable. self._load_downloaded_indicators() self._check_stix2_env_variable() self.log.info("Loaded a total of %d unique indicators", self.ioc_count) @@ -330,7 +330,7 @@ class Indicators: def download_indicators_files(log): """ - Download indicators from repo into MVT app data directory + Download indicators from repo into MVT app data directory. """ data_dir = user_data_dir("mvt") if not os.path.isdir(data_dir): From 24be9e95702dacbee3064f3b377336bd75324afa Mon Sep 17 00:00:00 2001 From: Nex Date: Fri, 14 Jan 2022 16:26:14 +0100 Subject: [PATCH 15/16] Use default list of indicators files now that some default ones are automatically loaded --- mvt/common/indicators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mvt/common/indicators.py b/mvt/common/indicators.py index ec1c6f8..5ae0fc6 100644 --- a/mvt/common/indicators.py +++ b/mvt/common/indicators.py @@ -57,7 +57,7 @@ class Indicators: else: self.log.info("Invalid STIX2 path %s in MVT_STIX2 environment variable", path) - def load_indicators_files(self, files): + def load_indicators_files(self, files=[]): """ Load a list of indicators files. """ From 798805c583753877cdcf7aa3a13eb534ca0aaf6a Mon Sep 17 00:00:00 2001 From: tek Date: Tue, 18 Jan 2022 13:06:35 +0100 Subject: [PATCH 16/16] Improves Shortcut output --- mvt/ios/modules/mixed/shortcuts.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/mvt/ios/modules/mixed/shortcuts.py b/mvt/ios/modules/mixed/shortcuts.py index 832b61e..ce548b0 100644 --- a/mvt/ios/modules/mixed/shortcuts.py +++ b/mvt/ios/modules/mixed/shortcuts.py @@ -34,13 +34,21 @@ class Shortcuts(IOSExtraction): found_urls = "" if record["action_urls"]: found_urls = "- URLs in actions: {}".format(", ".join(record["action_urls"])) + desc = "" + if record["description"]: + desc = record["description"].decode('utf-8', errors='ignore') - return { + return [{ "timestamp": record["isodate"], "module": self.__class__.__name__, - "event": "shortcut", - "data": f"iOS Shortcut '{record['shortcut_name']}': {record['description']} {found_urls}" - } + "event": "shortcut_created", + "data": f"iOS Shortcut '{record['shortcut_name'].decode('utf-8')}': {desc} {found_urls}" + }, { + "timestamp": record["modified_date"], + "module": self.__class__.__name__, + "event": "shortcut_modified", + "data": f"iOS Shortcut '{record['shortcut_name'].decode('utf-8')}': {desc} {found_urls}" + }] def check_indicators(self): if not self.indicators: @@ -99,7 +107,6 @@ class Shortcuts(IOSExtraction): action["urls"] = [url.rstrip("',") for url in extracted_urls] actions.append(action) - # pprint.pprint(actions) shortcut["isodate"] = convert_timestamp_to_iso(convert_mactime_to_unix(shortcut.pop("created_date"))) shortcut["modified_date"] = convert_timestamp_to_iso(convert_mactime_to_unix(shortcut["modified_date"])) shortcut["parsed_actions"] = len(actions)