mirror of https://github.com/mvt-project/mvt.git
Compare commits
3 Commits
4c9c0b8820
...
4f33a333e2
Author | SHA1 | Date |
---|---|---|
renini | 4f33a333e2 | |
Donncha Ó Cearbhaill | f9d7b550dc | |
renini | 98ae2237aa |
|
@ -26,7 +26,7 @@ MVT supports using public [indicators of compromise (IOCs)](https://github.com/m
|
|||
>
|
||||
> Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
|
||||
>
|
||||
>Such support is available to civil society through [Amnesty International's Security Lab](https://www.amnesty.org/en/tech/) or through our forensic partnership with [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
|
||||
>Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/get-help/?c=mvt_docs) or through our forensic partnership with [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
|
||||
|
||||
More information about using indicators of compromise with MVT is available in the [documentation](https://docs.mvt.re/en/latest/iocs/).
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ MVT supports using [indicators of compromise (IOCs)](https://github.com/mvt-proj
|
|||
|
||||
Reliable and comprehensive digital forensic support and triage requires access to non-public indicators, research and threat intelligence.
|
||||
|
||||
Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/contact-us/) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
|
||||
Such support is available to civil society through [Amnesty International's Security Lab](https://securitylab.amnesty.org/get-help/?c=mvt_docs) or [Access Now’s Digital Security Helpline](https://www.accessnow.org/help/).
|
||||
|
||||
More information about using indicators of compromise with MVT is available in the [documentation](iocs.md).
|
||||
|
||||
|
|
|
@ -160,6 +160,27 @@ class Command:
|
|||
def finish(self) -> None:
|
||||
raise NotImplementedError
|
||||
|
||||
def _show_disable_adb_warning(self) -> None:
|
||||
"""Warn if ADB is enabled"""
|
||||
if type(self).__name__ in ["CmdAndroidCheckADB", "CmdAndroidCheckAndroidQF"]:
|
||||
self.log.info(
|
||||
"Please disable Developer Options and ADB (Android Debug Bridge) on the device once finished with the acquisition. "
|
||||
"ADB is a powerful tool which can allow unauthorized access to the device."
|
||||
)
|
||||
|
||||
def _show_support_message(self) -> None:
|
||||
support_message = "Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such support is available to human rights defenders and civil society through Amnesty International's Security Lab at https://securitylab.amnesty.org/get-help/?c=mvt"
|
||||
if self.detected_count == 0:
|
||||
self.log.info(
|
||||
f"[bold]NOTE:[/bold] Using MVT with public indicators of compromise (IOCs) [bold]WILL NOT[/bold] automatically detect advanced attacks.\n\n{support_message}",
|
||||
extra={"markup": True},
|
||||
)
|
||||
else:
|
||||
self.log.warning(
|
||||
f"[bold]NOTE: Detected indicators of compromise[/bold]. Only expert review can confirm if the detected indicators are signs of an attack.\n\n{support_message}",
|
||||
extra={"markup": True},
|
||||
)
|
||||
|
||||
def run(self) -> None:
|
||||
try:
|
||||
self.init()
|
||||
|
@ -208,3 +229,6 @@ class Command:
|
|||
|
||||
self._store_timeline()
|
||||
self._store_info()
|
||||
|
||||
self._show_disable_adb_warning()
|
||||
self._show_support_message()
|
||||
|
|
|
@ -13,6 +13,7 @@ import ahocorasick
|
|||
from appdirs import user_data_dir
|
||||
|
||||
from .url import URL
|
||||
import ipaddress
|
||||
|
||||
MVT_DATA_FOLDER = user_data_dir("mvt")
|
||||
MVT_INDICATORS_FOLDER = os.path.join(MVT_DATA_FOLDER, "indicators")
|
||||
|
@ -97,6 +98,29 @@ class Indicators:
|
|||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
if key == "ipv4-addr:value":
|
||||
# Check for cidr notation, and add each ip to the domains collection
|
||||
if "/" in value:
|
||||
try:
|
||||
network = ipaddress.ip_network(value.strip("'"), strict=False)
|
||||
for ip in network.hosts():
|
||||
self._add_indicator(
|
||||
ioc="'" + str(ip) + "'",
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
except ValueError:
|
||||
self.log.critical(
|
||||
"Invalid CIDR notation ipv4-addr:value %s in STIX2 indicator file!", value
|
||||
)
|
||||
return
|
||||
else:
|
||||
# Single IP address, add to domains collection
|
||||
self._add_indicator(
|
||||
ioc=value,
|
||||
ioc_coll=collection,
|
||||
ioc_coll_list=collection["domains"],
|
||||
)
|
||||
elif key == "process:name":
|
||||
self._add_indicator(
|
||||
ioc=value, ioc_coll=collection, ioc_coll_list=collection["processes"]
|
||||
|
|
|
@ -13,6 +13,7 @@ def generate_test_stix_file(file_path):
|
|||
os.remove(file_path)
|
||||
|
||||
domains = ["example.org"]
|
||||
ip_addresses = ["198.51.100.1"]
|
||||
processes = ["Launch"]
|
||||
emails = ["foobar@example.org"]
|
||||
filenames = ["/var/foobar/txt"]
|
||||
|
@ -30,6 +31,15 @@ def generate_test_stix_file(file_path):
|
|||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for a in ip_addresses:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
pattern="[ipv4-addr:value='{}']".format(d),
|
||||
pattern_type="stix",
|
||||
)
|
||||
res.append(i)
|
||||
res.append(Relationship(i, "indicates", malware))
|
||||
|
||||
for p in processes:
|
||||
i = Indicator(
|
||||
indicator_types=["malicious-activity"],
|
||||
|
|
Loading…
Reference in New Issue