From 59206fc450931d8d464dcf8f1a49e442ea5413c9 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sat, 31 Jul 2021 00:46:36 -0400
Subject: [PATCH 1/2] Describe how to use and find IOCs

This offers generic documentation, to show how MVT can be used with
arbitrary STIX-formatted IOCs, while still pointing users at some
known-to-be-useful sample files.
---
 docs/iocs.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 docs/iocs.md

diff --git a/docs/iocs.md b/docs/iocs.md
new file mode 100644
index 0000000..78f0295
--- /dev/null
+++ b/docs/iocs.md
@@ -0,0 +1,32 @@
+# Indicators of Compromise (IOCs)
+
+MVT uses [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html) files to identify potential traces of compromise.
+
+These indicators of compromise are contained in a file with a particular structure of [JSON](https://en.wikipedia.org/wiki/JSON) with the `.stix2` or `.json` extensions.
+
+For example, after extracting iOS forensics data from an iPhone using `mvt-ios check-backup` or `mvt-ios check-fs`, you might run:
+
+```bash
+mvt-ios check-iocs --iocs ~/iocs/wintermute.stix2 /path/to/iphone/output/
+```
+
+Or, with data from an android backup:
+
+```bash
+mvt-android check-backup --iocs ~/iocs/wintermute.stix2 /path/to/android/backup/
+```
+
+If you're looking for indicators of compromise for a specific piece of malware or adversary, please ask investigators or anti-malware researchers who have the relevant expertise for a STIX file.
+
+## Known repositories of STIX IOCs
+
+We currently know of the following STIX-formatted IOCs:
+
+- [Cyber Threat Intelligence Technical Committee's sample STIX 2.1 Threat reports](https://oasis-open.github.io/cti-documentation/stix/examples#stix-21-threat-reports): the "JSON representation" column offers sample STIX-formatted IOCs for:
+  - [APT1](https://en.wikipedia.org/wiki/APT1) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/apt1.json)), 
+  - [Poison Ivy](https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy/) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/poisonivy.json)), and
+  - [IMDDOS](https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis)([STIX](https://gist.github.com/rjsmitre/79775df68b0d1c7c0985b4fe7f115586/raw/d5d2a3e7b4ae52ff7153a8b7b5b57dd066611803/imddos.json))
+- The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
+  - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
+
+Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.

From 5b5b065bc49e82d6c99bb23c7fcb123ddc6e97e6 Mon Sep 17 00:00:00 2001
From: Nex <nex@nex.sx>
Date: Sat, 31 Jul 2021 10:05:41 +0200
Subject: [PATCH 2/2] Updated doc page on IOCs

---
 docs/iocs.md | 24 ++++++++++++------------
 mkdocs.yml   |  1 +
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/docs/iocs.md b/docs/iocs.md
index 78f0295..5a903ce 100644
--- a/docs/iocs.md
+++ b/docs/iocs.md
@@ -4,29 +4,29 @@ MVT uses [Structured Threat Information Expression (STIX)](https://oasis-open.gi
 
 These indicators of compromise are contained in a file with a particular structure of [JSON](https://en.wikipedia.org/wiki/JSON) with the `.stix2` or `.json` extensions.
 
-For example, after extracting iOS forensics data from an iPhone using `mvt-ios check-backup` or `mvt-ios check-fs`, you might run:
+You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
 
 ```bash
-mvt-ios check-iocs --iocs ~/iocs/wintermute.stix2 /path/to/iphone/output/
+mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
 ```
 
-Or, with data from an android backup:
+Or, with data from an Android backup:
 
 ```bash
-mvt-android check-backup --iocs ~/iocs/wintermute.stix2 /path/to/android/backup/
+mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
+```
+
+After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
+
+```bash
+mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
 ```
 
 If you're looking for indicators of compromise for a specific piece of malware or adversary, please ask investigators or anti-malware researchers who have the relevant expertise for a STIX file.
 
-## Known repositories of STIX IOCs
+## Known repositories of STIX2 IOCs
 
-We currently know of the following STIX-formatted IOCs:
-
-- [Cyber Threat Intelligence Technical Committee's sample STIX 2.1 Threat reports](https://oasis-open.github.io/cti-documentation/stix/examples#stix-21-threat-reports): the "JSON representation" column offers sample STIX-formatted IOCs for:
-  - [APT1](https://en.wikipedia.org/wiki/APT1) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/apt1.json)), 
-  - [Poison Ivy](https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy/) ([STIX](https://oasis-open.github.io/cti-documentation/examples/example_json/poisonivy.json)), and
-  - [IMDDOS](https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis)([STIX](https://gist.github.com/rjsmitre/79775df68b0d1c7c0985b4fe7f115586/raw/d5d2a3e7b4ae52ff7153a8b7b5b57dd066611803/imddos.json))
 - The [Amnesty International investigations repository](https://github.com/AmnestyTech/investigations) contains STIX-formatted IOCs for:
-  - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
+    - [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ([STIX2](https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2))
 
 Please [open an issue](https://github.com/mvt-project/mvt/issues/) to suggest new sources of STIX-formatted IOCs.
diff --git a/mkdocs.yml b/mkdocs.yml
index 1837158..282b0ef 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -44,4 +44,5 @@ nav:
         - Android Forensic Methodology: "android/methodology.md"
         - Check APKs: "android/download_apks.md"
         - Check an Android Backup: "android/backup.md"
+    - Indicators of Compromise: "iocs.md"
     - License: "license.md"