From 0b88de98673a3c6516fd1ba3334357ffb72183b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 21 Jul 2023 11:29:12 +0200 Subject: [PATCH 1/2] Move detection and alerts from run() to check_indicators() --- mvt/android/modules/adb/root_binaries.py | 8 +++++-- mvt/ios/modules/backup/manifest.py | 13 ------------ mvt/ios/modules/mixed/sms.py | 22 +++++++++---------- mvt/ios/modules/mixed/sms_attachments.py | 27 ++++++++++++------------ 4 files changed, 31 insertions(+), 39 deletions(-) diff --git a/mvt/android/modules/adb/root_binaries.py b/mvt/android/modules/adb/root_binaries.py index f6d29a5..9de2bcb 100644 --- a/mvt/android/modules/adb/root_binaries.py +++ b/mvt/android/modules/adb/root_binaries.py @@ -30,6 +30,11 @@ class RootBinaries(AndroidExtraction): results=results, ) + def check_indicators(self) -> None: + for root_binary in self.results: + self.detected.append(root_binary) + self.log.warning('Found root binary "%s"', root_binary) + def run(self) -> None: root_binaries = [ "su", @@ -60,7 +65,6 @@ class RootBinaries(AndroidExtraction): if "which: not found" in output: continue - self.detected.append(root_binary) - self.log.warning('Found root binary "%s"', root_binary) + self.results.append(root_binary) self._adb_disconnect() diff --git a/mvt/ios/modules/backup/manifest.py b/mvt/ios/modules/backup/manifest.py index 3a596f9..6e83dfd 100644 --- a/mvt/ios/modules/backup/manifest.py +++ b/mvt/ios/modules/backup/manifest.py @@ -91,19 +91,6 @@ class Manifest(IOSExtraction): if not result.get("relative_path"): continue - if result["domain"]: - if ( - os.path.basename(result["relative_path"]) - == "com.apple.CrashReporter.plist" - and result["domain"] == "RootDomain" - ): - self.log.warning( - "Found a potentially suspicious " - '"com.apple.CrashReporter.plist" file created in RootDomain' - ) - self.detected.append(result) - continue - if not self.indicators: continue diff --git a/mvt/ios/modules/mixed/sms.py b/mvt/ios/modules/mixed/sms.py index b1bfa6c..2780762 100644 --- a/mvt/ios/modules/mixed/sms.py +++ b/mvt/ios/modules/mixed/sms.py @@ -60,6 +60,14 @@ class SMS(IOSExtraction): ] def check_indicators(self) -> None: + for message in self.results: + alert = "ALERT: State-sponsored attackers may be targeting your iPhone" + if message.get("text", "").startswith(alert): + self.log.warning( + "Apple warning about state-sponsored attack received on the %s", + message["isodate"], + ) + if not self.indicators: return @@ -137,17 +145,9 @@ class SMS(IOSExtraction): if not message.get("text", None): message["text"] = "" - alert = "ALERT: State-sponsored attackers may be targeting your iPhone" - if message.get("text", "").startswith(alert): - self.log.warning( - "Apple warning about state-sponsored attack received on the %s", - message["isodate"], - ) - else: - # Extract links from the SMS message. - message_links = check_for_links(message.get("text", "")) - message["links"] = message_links - + # Extract links from the SMS message. + message_links = check_for_links(message.get("text", "")) + message["links"] = message_links self.results.append(message) cur.close() diff --git a/mvt/ios/modules/mixed/sms_attachments.py b/mvt/ios/modules/mixed/sms_attachments.py index 00a52cb..f4005c9 100644 --- a/mvt/ios/modules/mixed/sms_attachments.py +++ b/mvt/ios/modules/mixed/sms_attachments.py @@ -54,6 +54,20 @@ class SMSAttachments(IOSExtraction): f"has_user_info: {record['has_user_info']})", } + def check_indicators(self) -> None: + for attachment in self.results: + if ( + attachment["filename"].startswith("/var/tmp/") + and attachment["filename"].endswith("-1") + and attachment["direction"] == "received" + ): + self.log.warning( + "Suspicious iMessage attachment %s on %s", + attachment["filename"], + attachment["isodate"], + ) + self.detected.append(attachment) + def run(self) -> None: self._find_ios_database(backup_ids=SMS_BACKUP_IDS, root_paths=SMS_ROOT_PATHS) self.log.info("Found SMS database at path: %s", self.file_path) @@ -101,19 +115,6 @@ class SMSAttachments(IOSExtraction): attachment["has_user_info"] = attachment["user_info"] is not None attachment["service"] = attachment["service"] or "Unknown" attachment["filename"] = attachment["filename"] or "NULL" - - if ( - attachment["filename"].startswith("/var/tmp/") - and attachment["filename"].endswith("-1") - and attachment["direction"] == "received" - ): - self.log.warning( - "Suspicious iMessage attachment %s on %s", - attachment["filename"], - attachment["isodate"], - ) - self.detected.append(attachment) - self.results.append(attachment) cur.close() From 8015ff78e8d6532129e50220996810d311fa00be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Donncha=20=C3=93=20Cearbhaill?= Date: Fri, 21 Jul 2023 12:10:45 +0200 Subject: [PATCH 2/2] Fix black error --- mvt/ios/modules/mixed/sms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mvt/ios/modules/mixed/sms.py b/mvt/ios/modules/mixed/sms.py index 2780762..866c799 100644 --- a/mvt/ios/modules/mixed/sms.py +++ b/mvt/ios/modules/mixed/sms.py @@ -66,7 +66,7 @@ class SMS(IOSExtraction): self.log.warning( "Apple warning about state-sponsored attack received on the %s", message["isodate"], - ) + ) if not self.indicators: return