mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-29 07:39:00 +00:00
Merge pull request #369 from mvt-project/move-indicator-checking
Move detection and alerts from run() to check_indicators()
This commit is contained in:
commit
85877fd3eb
|
@ -30,6 +30,11 @@ class RootBinaries(AndroidExtraction):
|
||||||
results=results,
|
results=results,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def check_indicators(self) -> None:
|
||||||
|
for root_binary in self.results:
|
||||||
|
self.detected.append(root_binary)
|
||||||
|
self.log.warning('Found root binary "%s"', root_binary)
|
||||||
|
|
||||||
def run(self) -> None:
|
def run(self) -> None:
|
||||||
root_binaries = [
|
root_binaries = [
|
||||||
"su",
|
"su",
|
||||||
|
@ -60,7 +65,6 @@ class RootBinaries(AndroidExtraction):
|
||||||
if "which: not found" in output:
|
if "which: not found" in output:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
self.detected.append(root_binary)
|
self.results.append(root_binary)
|
||||||
self.log.warning('Found root binary "%s"', root_binary)
|
|
||||||
|
|
||||||
self._adb_disconnect()
|
self._adb_disconnect()
|
||||||
|
|
|
@ -91,19 +91,6 @@ class Manifest(IOSExtraction):
|
||||||
if not result.get("relative_path"):
|
if not result.get("relative_path"):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if result["domain"]:
|
|
||||||
if (
|
|
||||||
os.path.basename(result["relative_path"])
|
|
||||||
== "com.apple.CrashReporter.plist"
|
|
||||||
and result["domain"] == "RootDomain"
|
|
||||||
):
|
|
||||||
self.log.warning(
|
|
||||||
"Found a potentially suspicious "
|
|
||||||
'"com.apple.CrashReporter.plist" file created in RootDomain'
|
|
||||||
)
|
|
||||||
self.detected.append(result)
|
|
||||||
continue
|
|
||||||
|
|
||||||
if not self.indicators:
|
if not self.indicators:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
|
@ -60,6 +60,14 @@ class SMS(IOSExtraction):
|
||||||
]
|
]
|
||||||
|
|
||||||
def check_indicators(self) -> None:
|
def check_indicators(self) -> None:
|
||||||
|
for message in self.results:
|
||||||
|
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
|
||||||
|
if message.get("text", "").startswith(alert):
|
||||||
|
self.log.warning(
|
||||||
|
"Apple warning about state-sponsored attack received on the %s",
|
||||||
|
message["isodate"],
|
||||||
|
)
|
||||||
|
|
||||||
if not self.indicators:
|
if not self.indicators:
|
||||||
return
|
return
|
||||||
|
|
||||||
|
@ -137,17 +145,9 @@ class SMS(IOSExtraction):
|
||||||
if not message.get("text", None):
|
if not message.get("text", None):
|
||||||
message["text"] = ""
|
message["text"] = ""
|
||||||
|
|
||||||
alert = "ALERT: State-sponsored attackers may be targeting your iPhone"
|
# Extract links from the SMS message.
|
||||||
if message.get("text", "").startswith(alert):
|
message_links = check_for_links(message.get("text", ""))
|
||||||
self.log.warning(
|
message["links"] = message_links
|
||||||
"Apple warning about state-sponsored attack received on the %s",
|
|
||||||
message["isodate"],
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
# Extract links from the SMS message.
|
|
||||||
message_links = check_for_links(message.get("text", ""))
|
|
||||||
message["links"] = message_links
|
|
||||||
|
|
||||||
self.results.append(message)
|
self.results.append(message)
|
||||||
|
|
||||||
cur.close()
|
cur.close()
|
||||||
|
|
|
@ -54,6 +54,20 @@ class SMSAttachments(IOSExtraction):
|
||||||
f"has_user_info: {record['has_user_info']})",
|
f"has_user_info: {record['has_user_info']})",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def check_indicators(self) -> None:
|
||||||
|
for attachment in self.results:
|
||||||
|
if (
|
||||||
|
attachment["filename"].startswith("/var/tmp/")
|
||||||
|
and attachment["filename"].endswith("-1")
|
||||||
|
and attachment["direction"] == "received"
|
||||||
|
):
|
||||||
|
self.log.warning(
|
||||||
|
"Suspicious iMessage attachment %s on %s",
|
||||||
|
attachment["filename"],
|
||||||
|
attachment["isodate"],
|
||||||
|
)
|
||||||
|
self.detected.append(attachment)
|
||||||
|
|
||||||
def run(self) -> None:
|
def run(self) -> None:
|
||||||
self._find_ios_database(backup_ids=SMS_BACKUP_IDS, root_paths=SMS_ROOT_PATHS)
|
self._find_ios_database(backup_ids=SMS_BACKUP_IDS, root_paths=SMS_ROOT_PATHS)
|
||||||
self.log.info("Found SMS database at path: %s", self.file_path)
|
self.log.info("Found SMS database at path: %s", self.file_path)
|
||||||
|
@ -101,19 +115,6 @@ class SMSAttachments(IOSExtraction):
|
||||||
attachment["has_user_info"] = attachment["user_info"] is not None
|
attachment["has_user_info"] = attachment["user_info"] is not None
|
||||||
attachment["service"] = attachment["service"] or "Unknown"
|
attachment["service"] = attachment["service"] or "Unknown"
|
||||||
attachment["filename"] = attachment["filename"] or "NULL"
|
attachment["filename"] = attachment["filename"] or "NULL"
|
||||||
|
|
||||||
if (
|
|
||||||
attachment["filename"].startswith("/var/tmp/")
|
|
||||||
and attachment["filename"].endswith("-1")
|
|
||||||
and attachment["direction"] == "received"
|
|
||||||
):
|
|
||||||
self.log.warning(
|
|
||||||
"Suspicious iMessage attachment %s on %s",
|
|
||||||
attachment["filename"],
|
|
||||||
attachment["isodate"],
|
|
||||||
)
|
|
||||||
self.detected.append(attachment)
|
|
||||||
|
|
||||||
self.results.append(attachment)
|
self.results.append(attachment)
|
||||||
|
|
||||||
cur.close()
|
cur.close()
|
||||||
|
|
Loading…
Reference in New Issue
Block a user