3.0 KiB
Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2
or .json
extensions.
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
Or, with data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
The --iocs
option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:
mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2
:
export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
Known repositories of STIX2 IOCs
- The Amnesty International investigations repository contains STIX-formatted IOCs for:
- This repository contains IOCs for Android stalkerware including a STIX MVT-compatible file.
- We are also maintaining a list of IOCs in STIX format from public spyware campaigns.
You can automaticallly download the latest public indicator files with the command mvt-ios download-iocs
or mvt-android download-iocs
. These commands download the list of indicators from the mvt-indicators repository and store them in the appdir folder. They are then loaded automatically by MVT.
Please open an issue to suggest new sources of STIX-formatted IOCs.