Adds indicators check to iOS TCC module

mvt/ios/modules/mixed/tcc.py

@@ -66,6 +66,15 @@ class TCC(IOSExtraction):
                 "data": msg
             }
 
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            if self.indicators.check_process(result["client"]):
+                self.log.warning("Found malicious process in TCC database: %s", result["client"])
+                self.detected.append(result)
+
     def process_db(self, file_path):
         conn = sqlite3.connect(file_path)
         cur = conn.cursor()

tests/ios/test_tcc.py

@@ -5,27 +5,32 @@
 
 import logging
 
+from mvt.common.indicators import Indicators
 from mvt.common.module import run_module
 from mvt.ios.modules.mixed.tcc import TCC
 
 from ..utils import get_backup_folder
 
 
-class TestManifestModule:
-    def test_manifest(self):
+class TestTCCtModule:
+    def test_tcc(self):
         m = TCC(base_folder=get_backup_folder(), log=logging, results=[])
         run_module(m)
         assert len(m.results) == 11
         assert len(m.timeline) == 11
         assert len(m.detected) == 0
         assert m.results[0]["service"] == "kTCCServiceUbiquity"
+        assert m.results[0]["client"] == "com.apple.Preferences"
         assert m.results[0]["auth_value"] == "allowed"
 
-    def test_manifest_2(self):
+    def test_tcc_detection(self, indicator_file):
         m = TCC(base_folder=get_backup_folder(), log=logging, results=[])
+        ind = Indicators(log=logging)
+        ind.parse_stix2(indicator_file)
+        m.indicators = ind
         run_module(m)
         assert len(m.results) == 11
         assert len(m.timeline) == 11
-        assert len(m.detected) == 0
-        assert m.results[0]["service"] == "kTCCServiceUbiquity"
-        assert m.results[0]["auth_value"] == "allowed"
+        assert len(m.detected) == 1
+        assert m.detected[0]["service"] == "kTCCServiceLiverpool"
+        assert m.detected[0]["client"] == "Launch"