crt0mega/mvt
1
0
Fork 0
mirror of https://github.com/mvt-project/mvt.git synced 2024-06-26 14:28:54 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #369 from mvt-project/move-indicator-checking

Browse Source 
Move detection and alerts from run() to check_indicators()
This commit is contained in:
Donncha Ó Cearbhaill 2023-07-21 12:12:36 +02:00 committed by GitHub
commit 85877fd3eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mvt/android/modules/adb/root_binaries.py
View File

@ -30,6 +30,11 @@ class RootBinaries(AndroidExtraction):
results=results,
)
def check_indicators(self) -> None:
for root_binary in self.results:
self.detected.append(root_binary)
self.log.warning('Found root binary "%s"', root_binary)
def run(self) -> None:
root_binaries = [
"su",
@ -60,7 +65,6 @@ class RootBinaries(AndroidExtraction):
if "which: not found" in output:
continue
self.detected.append(root_binary)
self.log.warning('Found root binary "%s"', root_binary)
self.results.append(root_binary)
self._adb_disconnect()

13
mvt/ios/modules/backup/manifest.py
View File

@ -91,19 +91,6 @@ class Manifest(IOSExtraction):
if not result.get("relative_path"):
continue
if result["domain"]:
if (
os.path.basename(result["relative_path"])
== "com.apple.CrashReporter.plist"
and result["domain"] == "RootDomain"
):
self.log.warning(
"Found a potentially suspicious "
'"com.apple.CrashReporter.plist" file created in RootDomain'
)
self.detected.append(result)
continue
if not self.indicators:
continue

22
mvt/ios/modules/mixed/sms.py
View File

@ -60,6 +60,14 @@ class SMS(IOSExtraction):
]
def check_indicators(self) -> None:
for message in self.results:
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
if message.get("text", "").startswith(alert):
self.log.warning(
"Apple warning about state-sponsored attack received on the %s",
message["isodate"],
)
if not self.indicators:
return
@ -137,17 +145,9 @@ class SMS(IOSExtraction):
if not message.get("text", None):
message["text"] = ""
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
if message.get("text", "").startswith(alert):
self.log.warning(
"Apple warning about state-sponsored attack received on the %s",
message["isodate"],
)
else:
# Extract links from the SMS message.
message_links = check_for_links(message.get("text", ""))
message["links"] = message_links
# Extract links from the SMS message.
message_links = check_for_links(message.get("text", ""))
message["links"] = message_links
self.results.append(message)
cur.close()

27
mvt/ios/modules/mixed/sms_attachments.py
View File

@ -54,6 +54,20 @@ class SMSAttachments(IOSExtraction):
f"has_user_info: {record['has_user_info']})",
}
def check_indicators(self) -> None:
for attachment in self.results:
if (
attachment["filename"].startswith("/var/tmp/")
and attachment["filename"].endswith("-1")
and attachment["direction"] == "received"
):
self.log.warning(
"Suspicious iMessage attachment %s on %s",
attachment["filename"],
attachment["isodate"],
)
self.detected.append(attachment)
def run(self) -> None:
self._find_ios_database(backup_ids=SMS_BACKUP_IDS, root_paths=SMS_ROOT_PATHS)
self.log.info("Found SMS database at path: %s", self.file_path)
@ -101,19 +115,6 @@ class SMSAttachments(IOSExtraction):
attachment["has_user_info"] = attachment["user_info"] is not None
attachment["service"] = attachment["service"] or "Unknown"
attachment["filename"] = attachment["filename"] or "NULL"
if (
attachment["filename"].startswith("/var/tmp/")
and attachment["filename"].endswith("-1")
and attachment["direction"] == "received"
):
self.log.warning(
"Suspicious iMessage attachment %s on %s",
attachment["filename"],
attachment["isodate"],
)
self.detected.append(attachment)
self.results.append(attachment)
cur.close()