crt0mega
/
mvt
mirror of https://github.com/mvt-project/mvt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Updated doc page on IOCs

This commit is contained in:
Nex 2021-07-31 10:05:41 +02:00
parent 59206fc450
commit 5b5b065bc4
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/iocs.md
View File

@ -4,29 +4,29 @@ MVT uses [Structured Threat Information Expression (STIX)](https://oasis-open.gi
These indicators of compromise are contained in a file with a particular structure of [JSON](https://en.wikipedia.org/wiki/JSON) with the `.stix2` or `.json` extensions.
For example, after extracting iOS forensics data from an iPhone using `mvt-ios check-backup` or `mvt-ios check-fs`, you might run:
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
```bash
mvt-ios check-iocs --iocs ~/iocs/wintermute.stix2 /path/to/iphone/output/
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
```
Or, with data from an android backup:
Or, with data from an Android backup:
```bash
mvt-android check-backup --iocs ~/iocs/wintermute.stix2 /path/to/android/backup/
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
```
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
```bash
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
```
If you're looking for indicators of compromise for a specific piece of malware or adversary, please ask investigators or anti-malware researchers who have the relevant expertise for a STIX file.
## Known repositories of STIX IOCs
## Known repositories of STIX2 IOCs
We currently know of the following STIX-formatted IOCs:
- [Cyber Threat Intelligence Technical Committee's sample STIX 2.1 Threat reports](https://oasis-open.github.io/cti-documentation/stix/examples#stix-21-threat-reports): the "JSON representation" column offers sample STIX-formatted IOCs for:
- [APT1](https://en.wikipedia.org/wiki/APT1) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/apt1.json)),
- [Poison Ivy](https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy/) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/poisonivy.json)), and
- [IMDDOS](https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis)([STIX](https://gist.github.com/rjsmitre/79775df68b0d1c7c0985b4fe7f115586/raw/d5d2a3e7b4ae52ff7153a8b7b5b57dd066611803/imddos.json))
- The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
- [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
- [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.

1
mkdocs.yml
View File

@ -44,4 +44,5 @@ nav:
- Android Forensic Methodology: "android/methodology.md"
- Check APKs: "android/download_apks.md"
- Check an Android Backup: "android/backup.md"
- Indicators of Compromise: "iocs.md"
- License: "license.md"