mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-30 16:18:54 +00:00
Properly checking any potential domains in Manifest.db records (fixes: #293)
This commit is contained in:
Nex
parent
7ad7782b51
commit
631354c131
|
|
@ -264,7 +264,7 @@ class URL:
|
||||||
self.top_level = self.get_top_level()
|
self.top_level = self.get_top_level()
|
||||||
self.is_shortened = False
|
self.is_shortened = False
|
||||||
|
|
||||||
def get_domain(self) -> None:
|
def get_domain(self) -> str:
|
||||||
"""Get the domain from a URL.
|
"""Get the domain from a URL.
|
||||||
|
|
||||||
:param url: URL to parse
|
:param url: URL to parse
|
||||||
|
|
@ -273,15 +273,11 @@ class URL:
|
||||||
:rtype: str
|
:rtype: str
|
||||||
|
|
||||||
"""
|
"""
|
||||||
# TODO: Properly handle exception.
|
return get_tld(self.url,
|
||||||
try:
|
as_object=True,
|
||||||
return get_tld(self.url,
|
fix_protocol=True).parsed_url.netloc.lower().lstrip("www.")
|
||||||
as_object=True,
|
|
||||||
fix_protocol=True).parsed_url.netloc.lower().lstrip("www.")
|
|
||||||
except Exception:
|
|
||||||
return None
|
|
||||||
|
|
||||||
def get_top_level(self) -> None:
|
def get_top_level(self) -> str:
|
||||||
"""Get only the top-level domain from a URL.
|
"""Get only the top-level domain from a URL.
|
||||||
|
|
||||||
:param url: URL to parse
|
:param url: URL to parse
|
||||||
|
|
@ -290,13 +286,9 @@ class URL:
|
||||||
:rtype: str
|
:rtype: str
|
||||||
|
|
||||||
"""
|
"""
|
||||||
# TODO: Properly handle exception.
|
return get_tld(self.url,
|
||||||
try:
|
as_object=True,
|
||||||
return get_tld(self.url,
|
fix_protocol=True).fld.lower()
|
||||||
as_object=True,
|
|
||||||
fix_protocol=True).fld.lower()
|
|
||||||
except Exception:
|
|
||||||
return None
|
|
||||||
|
|
||||||
def check_if_shortened(self) -> bool:
|
def check_if_shortened(self) -> bool:
|
||||||
"""Check if the URL is among list of shortener services.
|
"""Check if the URL is among list of shortener services.
|
||||||
|
|
|
||||||
|
|
@ -151,7 +151,6 @@ def extract_key(password, key_file, backup_path):
|
||||||
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
||||||
@click.pass_context
|
@click.pass_context
|
||||||
def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
|
def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
|
||||||
print(backup_path)
|
|
||||||
cmd = CmdIOSCheckBackup(target_path=backup_path, results_path=output,
|
cmd = CmdIOSCheckBackup(target_path=backup_path, results_path=output,
|
||||||
ioc_files=iocs, module_name=module, fast_mode=fast)
|
ioc_files=iocs, module_name=module, fast_mode=fast)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ from typing import Optional
|
||||||
|
|
||||||
from mvt.common.module import DatabaseNotFoundError
|
from mvt.common.module import DatabaseNotFoundError
|
||||||
from mvt.common.utils import convert_datetime_to_iso, convert_unix_to_iso
|
from mvt.common.utils import convert_datetime_to_iso, convert_unix_to_iso
|
||||||
|
from mvt.common.url import URL
|
||||||
|
|
||||||
from ..base import IOSExtraction
|
from ..base import IOSExtraction
|
||||||
|
|
||||||
|
|
@ -99,10 +100,18 @@ class Manifest(IOSExtraction):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
rel_path = result["relative_path"].lower()
|
rel_path = result["relative_path"].lower()
|
||||||
for ioc in self.indicators.get_iocs("domains"):
|
parts = rel_path.split("_")
|
||||||
if ioc["value"].lower() in rel_path:
|
for part in parts:
|
||||||
|
try:
|
||||||
|
part_parsed = URL(part)
|
||||||
|
except:
|
||||||
|
continue
|
||||||
|
|
||||||
|
ioc = self.indicators.check_domain(part)
|
||||||
|
if ioc:
|
||||||
self.log.warning("Found mention of domain \"%s\" in a backup file with "
|
self.log.warning("Found mention of domain \"%s\" in a backup file with "
|
||||||
"path: %s", ioc["value"], rel_path)
|
"path: %s", ioc["value"], rel_path)
|
||||||
|
result["matched_indicator"] = ioc
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
|
||||||
def run(self) -> None:
|
def run(self) -> None:
|
||||||
|
|
|
||||||
|
|
@ -60,14 +60,21 @@ class SafariHistory(IOSExtraction):
|
||||||
if not result["redirect_destination"]:
|
if not result["redirect_destination"]:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
origin_domain = URL(result["url"]).domain
|
try:
|
||||||
|
origin_domain = URL(result["url"]).domain
|
||||||
|
except:
|
||||||
|
origin_domain = ""
|
||||||
|
|
||||||
# We loop again through visits in order to find redirect record.
|
# We loop again through visits in order to find redirect record.
|
||||||
for redirect in self.results:
|
for redirect in self.results:
|
||||||
if redirect["visit_id"] != result["redirect_destination"]:
|
if redirect["visit_id"] != result["redirect_destination"]:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
redirect_domain = URL(redirect["url"]).domain
|
try:
|
||||||
|
redirect_domain = URL(redirect["url"]).domain
|
||||||
|
except:
|
||||||
|
redirect_domain = ""
|
||||||
|
|
||||||
# If the redirect destination is the same domain as the origin,
|
# If the redirect destination is the same domain as the origin,
|
||||||
# it's most likely an HTTPS upgrade.
|
# it's most likely an HTTPS upgrade.
|
||||||
if origin_domain == redirect_domain:
|
if origin_domain == redirect_domain:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user