1.6 KiB
Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2
or .json
extensions.
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
Or, with data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
If you're looking for indicators of compromise for a specific piece of malware or adversary, please ask investigators or anti-malware researchers who have the relevant expertise for a STIX file.
Known repositories of STIX2 IOCs
- The Amnesty International investigations repository contains STIX-formatted IOCs for:
Please open an issue to suggest new sources of STIX-formatted IOCs.