CalvinBackup/mvt
1
0
Fork 0
mirror of https://github.com/mvt-project/mvt.git synced 2026-02-12 16:42:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Remove timeline_detected and route to alertstore

Browse Source
This commit is contained in:
Janik Besendorf
2025-11-07 19:05:39 +01:00
parent 6d1d499c4e
commit 801c464492
4 changed files with 27 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/mvt/android/modules/adb/files.py
View File

@@ -8,8 +8,8 @@ import os
import stat
from typing import Optional, Union
from mvt.common.utils import convert_unix_to_iso
from mvt.common.module_types import ModuleResults
from mvt.common.utils import convert_unix_to_iso
from .base import AndroidExtraction
@@ -64,11 +64,15 @@ class Files(AndroidExtraction):
result["path"],
)
if self.indicators and self.indicators.check_file_path(result["path"]):
self.log.warning(
'Found a known suspicous file at path: "%s"', result["path"]
)
self.detected.append(result)
if self.indicators:
ioc_match = self.indicators.check_file_path(result["path"])
if ioc_match:
self.alertstore.critical(
f'Found a known suspicious file at path: "{result["path"]}"',
"",
result,
matched_indicator=ioc_match,
)
def backup_file(self, file_path: str) -> None:
if not self.results_path:

10
src/mvt/android/modules/adb/root_binaries.py
View File

@@ -6,9 +6,10 @@
import logging
from typing import Optional
from .base import AndroidExtraction
from mvt.common.module_types import ModuleResults
from .base import AndroidExtraction
class RootBinaries(AndroidExtraction):
"""This module extracts the list of installed packages."""
@@ -33,8 +34,11 @@ class RootBinaries(AndroidExtraction):
def check_indicators(self) -> None:
for root_binary in self.results:
self.detected.append(root_binary)
self.log.warning('Found root binary "%s"', root_binary)
self.alertstore.high(
f'Found root binary "{root_binary}"',
"",
root_binary,
)
def run(self) -> None:
root_binaries = [

17
src/mvt/android/modules/adb/whatsapp.py
View File

@@ -9,14 +9,14 @@ import os
import sqlite3
from typing import Optional
from mvt.common.module_types import (
ModuleAtomicResult,
ModuleResults,
ModuleSerializedResult,
)
from mvt.common.utils import check_for_links, convert_unix_to_iso
from .base import AndroidExtraction
from mvt.common.module_types import (
ModuleAtomicResult,
ModuleSerializedResult,
ModuleResults,
)
WHATSAPP_PATH = "data/data/com.whatsapp/databases/msgstore.db"
@@ -60,8 +60,11 @@ class Whatsapp(AndroidExtraction):
continue
message_links = check_for_links(message["data"])
if self.indicators.check_urls(message_links):
self.detected.append(message)
ioc_match = self.indicators.check_urls(message_links)
if ioc_match:
self.alertstore.critical(
ioc_match.message, "", message, matched_indicator=ioc_match.ioc
)
continue
def _parse_db(self, db_path: str) -> None:

10
src/mvt/common/module.py
View File

@@ -77,7 +77,6 @@ class MVTModule:
self.results: ModuleResults = results if results else []
self.timeline: ModuleTimeline = []
self.timeline_detected: ModuleTimeline = []
@classmethod
def from_json(cls, json_path: str, log: logging.Logger):
@@ -166,17 +165,8 @@ class MVTModule:
else:
self.timeline.append(record)
# for detected in self.alertstore.alerts:
# record = self.serialize(detected)
# if record:
# if isinstance(record, list):
# self.timeline_detected.extend(record)
# else:
# self.timeline_detected.append(record)
# De-duplicate timeline entries.
self.timeline = self._deduplicate_timeline(self.timeline)
# self.timeline_detected = self._deduplicate_timeline(self.timeline_detected)
def run(self) -> None:
"""Run the main module procedure."""