crt0mega/mvt
1
0
Fork 0
mirror of https://github.com/mvt-project/mvt.git synced 2024-06-29 07:39:00 +00:00
Code Issues Projects Releases Wiki Activity

Trying to tidy up ConfigurationProfiles module

Browse Source
This commit is contained in:
Nex 2022-08-10 16:44:43 +02:00
parent e0481686b7
commit 6cb59cc3ab
1 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
mvt/ios/modules/backup/configuration_profiles.py
View File

@ -35,7 +35,9 @@ class ConfigurationProfiles(IOSExtraction):
"timestamp": record["install_date"], "timestamp": record["install_date"],
"module": self.__class__.__name__, "module": self.__class__.__name__,
"event": "configuration_profile_install", "event": "configuration_profile_install",
"data": f"{record['plist']['PayloadType']} installed: {record['plist']['PayloadUUID']} - {payload_name}: {payload_description}" "data": f"{record['plist']['PayloadType']} installed: "
f"{record['plist']['PayloadUUID']} - "
f"{payload_name}: {payload_description}"
} }
def check_indicators(self) -> None: def check_indicators(self) -> None:
@ -46,24 +48,32 @@ class ConfigurationProfiles(IOSExtraction):
if result["plist"].get("PayloadUUID"): if result["plist"].get("PayloadUUID"):
payload_content = result["plist"]["PayloadContent"][0] payload_content = result["plist"]["PayloadContent"][0]
# Alert on any known malicious configuration profiles in the indicator list. # Alert on any known malicious configuration profiles in the
# indicator list.
ioc = self.indicators.check_profile(result["plist"]["PayloadUUID"]) ioc = self.indicators.check_profile(result["plist"]["PayloadUUID"])
if ioc: if ioc:
self.log.warning(f"Found a known malicious configuration profile \"{result['plist']['PayloadDisplayName']}\" with UUID '{result['plist']['PayloadUUID']}'.") self.log.warning(f"Found a known malicious configuration profile "
f"\"{result['plist']['PayloadDisplayName']}\" "
f"with UUID '{result['plist']['PayloadUUID']}'.")
result["matched_indicator"] = ioc result["matched_indicator"] = ioc
self.detected.append(result) self.detected.append(result)
continue continue
# Highlight suspicious configuration profiles which may be used to hide notifications. # Highlight suspicious configuration profiles which may be used
# to hide notifications.
if payload_content["PayloadType"] in ["com.apple.notificationsettings"]: if payload_content["PayloadType"] in ["com.apple.notificationsettings"]:
self.log.warning(f"Found a potentially suspicious configuration profile \"{result['plist']['PayloadDisplayName']}\" with payload type '{payload_content['PayloadType']}'.") self.log.warning(f"Found a potentially suspicious configuration profile "
f"\"{result['plist']['PayloadDisplayName']}\" with "
f"payload type '{payload_content['PayloadType']}'.")
self.detected.append(result) self.detected.append(result)
continue continue
def run(self) -> None: def run(self) -> None:
for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN): for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
conf_rel_path = conf_file["relative_path"] conf_rel_path = conf_file["relative_path"]
# Filter out all configuration files that are not configuration profiles.
# Filter out all configuration files that are not configuration
# profiles.
if not conf_rel_path or not os.path.basename(conf_rel_path).startswith("profile-"): if not conf_rel_path or not os.path.basename(conf_rel_path).startswith("profile-"):
continue continue
@ -76,22 +86,29 @@ class ConfigurationProfiles(IOSExtraction):
conf_plist = plistlib.load(handle) conf_plist = plistlib.load(handle)
except Exception: except Exception:
conf_plist = {} conf_plist = {}
if "SignerCerts" in conf_plist: if "SignerCerts" in conf_plist:
conf_plist["SignerCerts"] = [b64encode(x) for x in conf_plist["SignerCerts"]] conf_plist["SignerCerts"] = [b64encode(x) for x in conf_plist["SignerCerts"]]
if "OTAProfileStub" in conf_plist: if "OTAProfileStub" in conf_plist:
if "SignerCerts" in conf_plist["OTAProfileStub"]: if "SignerCerts" in conf_plist["OTAProfileStub"]:
conf_plist["OTAProfileStub"]["SignerCerts"] = [b64encode(x) for x in conf_plist["OTAProfileStub"]["SignerCerts"]] conf_plist["OTAProfileStub"]["SignerCerts"] = [b64encode(x) for x in conf_plist["OTAProfileStub"]["SignerCerts"]]
if "PayloadContent" in conf_plist["OTAProfileStub"]: if "PayloadContent" in conf_plist["OTAProfileStub"]:
if "EnrollmentIdentityPersistentID" in conf_plist["OTAProfileStub"]["PayloadContent"]: if "EnrollmentIdentityPersistentID" in conf_plist["OTAProfileStub"]["PayloadContent"]:
conf_plist["OTAProfileStub"]["PayloadContent"]["EnrollmentIdentityPersistentID"] = b64encode(conf_plist["OTAProfileStub"]["PayloadContent"]["EnrollmentIdentityPersistentID"]) conf_plist["OTAProfileStub"]["PayloadContent"]["EnrollmentIdentityPersistentID"] = b64encode(conf_plist["OTAProfileStub"]["PayloadContent"]["EnrollmentIdentityPersistentID"])
if "PushTokenDataSentToServerKey" in conf_plist: if "PushTokenDataSentToServerKey" in conf_plist:
conf_plist["PushTokenDataSentToServerKey"] = b64encode(conf_plist["PushTokenDataSentToServerKey"]) conf_plist["PushTokenDataSentToServerKey"] = b64encode(conf_plist["PushTokenDataSentToServerKey"])
if "LastPushTokenHash" in conf_plist: if "LastPushTokenHash" in conf_plist:
conf_plist["LastPushTokenHash"] = b64encode(conf_plist["LastPushTokenHash"]) conf_plist["LastPushTokenHash"] = b64encode(conf_plist["LastPushTokenHash"])
if "PayloadContent" in conf_plist: if "PayloadContent" in conf_plist:
for x in range(len(conf_plist["PayloadContent"])): for x in range(len(conf_plist["PayloadContent"])):
if "PERSISTENT_REF" in conf_plist["PayloadContent"][x]: if "PERSISTENT_REF" in conf_plist["PayloadContent"][x]:
conf_plist["PayloadContent"][x]["PERSISTENT_REF"] = b64encode(conf_plist["PayloadContent"][x]["PERSISTENT_REF"]) conf_plist["PayloadContent"][x]["PERSISTENT_REF"] = b64encode(conf_plist["PayloadContent"][x]["PERSISTENT_REF"])
if "IdentityPersistentRef" in conf_plist["PayloadContent"][x]: if "IdentityPersistentRef" in conf_plist["PayloadContent"][x]:
conf_plist["PayloadContent"][x]["IdentityPersistentRef"] = b64encode(conf_plist["PayloadContent"][x]["IdentityPersistentRef"]) conf_plist["PayloadContent"][x]["IdentityPersistentRef"] = b64encode(conf_plist["PayloadContent"][x]["IdentityPersistentRef"])