diff --git a/mvt/ios/modules/mixed/tcc.py b/mvt/ios/modules/mixed/tcc.py index 747ffcf..cd626d0 100644 --- a/mvt/ios/modules/mixed/tcc.py +++ b/mvt/ios/modules/mixed/tcc.py @@ -66,6 +66,15 @@ class TCC(IOSExtraction): "data": msg } + def check_indicators(self): + if not self.indicators: + return + + for result in self.results: + if self.indicators.check_process(result["client"]): + self.log.warning("Found malicious process in TCC database: %s", result["client"]) + self.detected.append(result) + def process_db(self, file_path): conn = sqlite3.connect(file_path) cur = conn.cursor() diff --git a/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 b/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 index 3a1a64c..c7af1e8 100644 Binary files a/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 and b/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 differ diff --git a/tests/ios/test_tcc.py b/tests/ios/test_tcc.py index f93920e..8f3517f 100644 --- a/tests/ios/test_tcc.py +++ b/tests/ios/test_tcc.py @@ -5,27 +5,32 @@ import logging +from mvt.common.indicators import Indicators from mvt.common.module import run_module from mvt.ios.modules.mixed.tcc import TCC from ..utils import get_backup_folder -class TestManifestModule: - def test_manifest(self): +class TestTCCtModule: + def test_tcc(self): m = TCC(base_folder=get_backup_folder(), log=logging, results=[]) run_module(m) assert len(m.results) == 11 assert len(m.timeline) == 11 assert len(m.detected) == 0 assert m.results[0]["service"] == "kTCCServiceUbiquity" + assert m.results[0]["client"] == "com.apple.Preferences" assert m.results[0]["auth_value"] == "allowed" - def test_manifest_2(self): + def test_tcc_detection(self, indicator_file): m = TCC(base_folder=get_backup_folder(), log=logging, results=[]) + ind = Indicators(log=logging) + ind.parse_stix2(indicator_file) + m.indicators = ind run_module(m) assert len(m.results) == 11 assert len(m.timeline) == 11 - assert len(m.detected) == 0 - assert m.results[0]["service"] == "kTCCServiceUbiquity" - assert m.results[0]["auth_value"] == "allowed" + assert len(m.detected) == 1 + assert m.detected[0]["service"] == "kTCCServiceLiverpool" + assert m.detected[0]["client"] == "Launch"