Squashed commit of the following: commit c0d9e8d5d188c13e7e5ec0612e99bfb7e25f47d4 Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org> Date: Fri Jan 7 16:05:12 2022 +0100 Update name of indicators JSON file commit f719e49c5f942cef64931ecf422b6a6e7b8c9f17 Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org> Date: Fri Jan 7 15:38:03 2022 +0100 Do not set indicators option on module if no indicators were loaded commit a289eb8de936f7d74c6c787cbb8daf5c5bec015c Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org> Date: Fri Jan 7 14:43:00 2022 +0100 Simplify code for loading IoCs commit 0804563415ee80d76c13d3b38ffe639fa14caa14 Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org> Date: Fri Jan 7 13:43:47 2022 +0100 Add metadata to IoC entries commit 97d0e893c1a0736c4931363ff40f09a030b90cf6 Author: tek <tek@randhome.io> Date: Fri Dec 17 16:43:09 2021 +0100 Implements automated loading of indicators commit c381e14df92ae4d7d846a1c97bcf6639cc526082 Author: tek <tek@randhome.io> Date: Fri Dec 17 12:41:15 2021 +0100 Improves download-indicators commit b938e02ddfd0b916fd883f510b467491a4a84e5f Author: tek <tek@randhome.io> Date: Fri Dec 17 01:44:26 2021 +0100 Adds download-indicators for mvt-ios and mvt-android
2.4 KiB
Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2
or .json
extensions.
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
Or, with data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
The --iocs
option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:
mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2
:
export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
Known repositories of STIX2 IOCs
- The Amnesty International investigations repository contains STIX-formatted IOCs for:
- This repository contains IOCs for Android stalkerware including a STIX MVT-compatible file.
You can automaticallly download the latest public indicator files with the command mvt-ios download-indicators
or mvt-android download-indicators
.
Please open an issue to suggest new sources of STIX-formatted IOCs.