mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-26 14:28:54 +00:00
Merge pull request #369 from mvt-project/move-indicator-checking
Move detection and alerts from run() to check_indicators()
This commit is contained in:
commit
85877fd3eb
|
@ -30,6 +30,11 @@ class RootBinaries(AndroidExtraction):
|
|||
results=results,
|
||||
)
|
||||
|
||||
def check_indicators(self) -> None:
|
||||
for root_binary in self.results:
|
||||
self.detected.append(root_binary)
|
||||
self.log.warning('Found root binary "%s"', root_binary)
|
||||
|
||||
def run(self) -> None:
|
||||
root_binaries = [
|
||||
"su",
|
||||
|
@ -60,7 +65,6 @@ class RootBinaries(AndroidExtraction):
|
|||
if "which: not found" in output:
|
||||
continue
|
||||
|
||||
self.detected.append(root_binary)
|
||||
self.log.warning('Found root binary "%s"', root_binary)
|
||||
self.results.append(root_binary)
|
||||
|
||||
self._adb_disconnect()
|
||||
|
|
|
@ -91,19 +91,6 @@ class Manifest(IOSExtraction):
|
|||
if not result.get("relative_path"):
|
||||
continue
|
||||
|
||||
if result["domain"]:
|
||||
if (
|
||||
os.path.basename(result["relative_path"])
|
||||
== "com.apple.CrashReporter.plist"
|
||||
and result["domain"] == "RootDomain"
|
||||
):
|
||||
self.log.warning(
|
||||
"Found a potentially suspicious "
|
||||
'"com.apple.CrashReporter.plist" file created in RootDomain'
|
||||
)
|
||||
self.detected.append(result)
|
||||
continue
|
||||
|
||||
if not self.indicators:
|
||||
continue
|
||||
|
||||
|
|
|
@ -60,6 +60,14 @@ class SMS(IOSExtraction):
|
|||
]
|
||||
|
||||
def check_indicators(self) -> None:
|
||||
for message in self.results:
|
||||
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
|
||||
if message.get("text", "").startswith(alert):
|
||||
self.log.warning(
|
||||
"Apple warning about state-sponsored attack received on the %s",
|
||||
message["isodate"],
|
||||
)
|
||||
|
||||
if not self.indicators:
|
||||
return
|
||||
|
||||
|
@ -137,17 +145,9 @@ class SMS(IOSExtraction):
|
|||
if not message.get("text", None):
|
||||
message["text"] = ""
|
||||
|
||||
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
|
||||
if message.get("text", "").startswith(alert):
|
||||
self.log.warning(
|
||||
"Apple warning about state-sponsored attack received on the %s",
|
||||
message["isodate"],
|
||||
)
|
||||
else:
|
||||
# Extract links from the SMS message.
|
||||
message_links = check_for_links(message.get("text", ""))
|
||||
message["links"] = message_links
|
||||
|
||||
# Extract links from the SMS message.
|
||||
message_links = check_for_links(message.get("text", ""))
|
||||
message["links"] = message_links
|
||||
self.results.append(message)
|
||||
|
||||
cur.close()
|
||||
|
|
|
@ -54,6 +54,20 @@ class SMSAttachments(IOSExtraction):
|
|||
f"has_user_info: {record['has_user_info']})",
|
||||
}
|
||||
|
||||
def check_indicators(self) -> None:
|
||||
for attachment in self.results:
|
||||
if (
|
||||
attachment["filename"].startswith("/var/tmp/")
|
||||
and attachment["filename"].endswith("-1")
|
||||
and attachment["direction"] == "received"
|
||||
):
|
||||
self.log.warning(
|
||||
"Suspicious iMessage attachment %s on %s",
|
||||
attachment["filename"],
|
||||
attachment["isodate"],
|
||||
)
|
||||
self.detected.append(attachment)
|
||||
|
||||
def run(self) -> None:
|
||||
self._find_ios_database(backup_ids=SMS_BACKUP_IDS, root_paths=SMS_ROOT_PATHS)
|
||||
self.log.info("Found SMS database at path: %s", self.file_path)
|
||||
|
@ -101,19 +115,6 @@ class SMSAttachments(IOSExtraction):
|
|||
attachment["has_user_info"] = attachment["user_info"] is not None
|
||||
attachment["service"] = attachment["service"] or "Unknown"
|
||||
attachment["filename"] = attachment["filename"] or "NULL"
|
||||
|
||||
if (
|
||||
attachment["filename"].startswith("/var/tmp/")
|
||||
and attachment["filename"].endswith("-1")
|
||||
and attachment["direction"] == "received"
|
||||
):
|
||||
self.log.warning(
|
||||
"Suspicious iMessage attachment %s on %s",
|
||||
attachment["filename"],
|
||||
attachment["isodate"],
|
||||
)
|
||||
self.detected.append(attachment)
|
||||
|
||||
self.results.append(attachment)
|
||||
|
||||
cur.close()
|
||||
|
|
Loading…
Reference in New Issue
Block a user