mvt/docs/iocs.md

Indicators of Compromise (IOCs)

MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.

These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2 or .json extensions.

You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:

mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup

Or, with data from an Android backup:

mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/

After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:

mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/

The --iocs option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:

mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup

It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2:

export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"

Known repositories of STIX2 IOCs

• The Amnesty International investigations repository contains STIX-formatted IOCs for:
  • Pegasus (STIX2)
  • Predator from Cytrox (STIX2)
• This repository contains IOCs for Android stalkerware including a STIX MVT-compatible file.

You can automaticallly download the latest public indicator files with the command mvt-ios download-indicators or mvt-android download-indicators.

Please open an issue to suggest new sources of STIX-formatted IOCs.