From 95205d8e1773073bfa3952f9279b92973d2a07d0 Mon Sep 17 00:00:00 2001
From: tek <tek@randhome.io>
Date: Tue, 18 Jan 2022 17:12:20 +0100
Subject: [PATCH] Adds indicators check to iOS TCC module

---
 mvt/ios/modules/mixed/tcc.py                  |   9 +++++++++
 .../64d0019cb3d46bfc8cce545a8ba54b93e7ea9347  | Bin 57344 -> 57344 bytes
 tests/ios/test_tcc.py                         |  17 +++++++++++------
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/mvt/ios/modules/mixed/tcc.py b/mvt/ios/modules/mixed/tcc.py
index 747ffcf..cd626d0 100644
--- a/mvt/ios/modules/mixed/tcc.py
+++ b/mvt/ios/modules/mixed/tcc.py
@@ -66,6 +66,15 @@ class TCC(IOSExtraction):
                 "data": msg
             }
 
+    def check_indicators(self):
+        if not self.indicators:
+            return
+
+        for result in self.results:
+            if self.indicators.check_process(result["client"]):
+                self.log.warning("Found malicious process in TCC database: %s", result["client"])
+                self.detected.append(result)
+
     def process_db(self, file_path):
         conn = sqlite3.connect(file_path)
         cur = conn.cursor()
diff --git a/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 b/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347
index 3a1a64cce7421e510ea7cf88f36b581a02766e72..c7af1e87c8a1007b278a9dd3ccbbdf4b9658993f 100644
GIT binary patch
delta 149
zcmZoTz}#?vc>~)9iR}#hd-<#QCHZ#pmGN2f{^Xs-Ys&MMXZvPBfi@lq9|jCyV!~%C
zIeGqGvB?2@IoW&?OY@R5Hb2~>z|6}Z#=y;M$-tk(e~y33X1)U+{IWpZVi+bcsI!?$
Sa!4{x-nd5uW<c-xVgUfp+amJ-

delta 133
zcmZoTz}#?vc>~)9iG>XOd-<#QCHZ#pmGN2f{^Xs-Ys&MMXW?c+fo2|7FB3jf*U9tu
zicJpKD=d`hoReRg;+J2NnU<NHSdy8axB1~71!i6b1_o|kO9uXP{8RYDHuD|u;AgRA
V1L`X{FFtwwc`j`Fde0XN005fsE(ZVr

diff --git a/tests/ios/test_tcc.py b/tests/ios/test_tcc.py
index f93920e..8f3517f 100644
--- a/tests/ios/test_tcc.py
+++ b/tests/ios/test_tcc.py
@@ -5,27 +5,32 @@
 
 import logging
 
+from mvt.common.indicators import Indicators
 from mvt.common.module import run_module
 from mvt.ios.modules.mixed.tcc import TCC
 
 from ..utils import get_backup_folder
 
 
-class TestManifestModule:
-    def test_manifest(self):
+class TestTCCtModule:
+    def test_tcc(self):
         m = TCC(base_folder=get_backup_folder(), log=logging, results=[])
         run_module(m)
         assert len(m.results) == 11
         assert len(m.timeline) == 11
         assert len(m.detected) == 0
         assert m.results[0]["service"] == "kTCCServiceUbiquity"
+        assert m.results[0]["client"] == "com.apple.Preferences"
         assert m.results[0]["auth_value"] == "allowed"
 
-    def test_manifest_2(self):
+    def test_tcc_detection(self, indicator_file):
         m = TCC(base_folder=get_backup_folder(), log=logging, results=[])
+        ind = Indicators(log=logging)
+        ind.parse_stix2(indicator_file)
+        m.indicators = ind
         run_module(m)
         assert len(m.results) == 11
         assert len(m.timeline) == 11
-        assert len(m.detected) == 0
-        assert m.results[0]["service"] == "kTCCServiceUbiquity"
-        assert m.results[0]["auth_value"] == "allowed"
+        assert len(m.detected) == 1
+        assert m.detected[0]["service"] == "kTCCServiceLiverpool"
+        assert m.detected[0]["client"] == "Launch"