diff --git a/src/mvt/android/modules/adb/files.py b/src/mvt/android/modules/adb/files.py index 28b1088..134d9d2 100644 --- a/src/mvt/android/modules/adb/files.py +++ b/src/mvt/android/modules/adb/files.py @@ -8,8 +8,8 @@ import os import stat from typing import Optional, Union -from mvt.common.utils import convert_unix_to_iso from mvt.common.module_types import ModuleResults +from mvt.common.utils import convert_unix_to_iso from .base import AndroidExtraction @@ -64,11 +64,15 @@ class Files(AndroidExtraction): result["path"], ) - if self.indicators and self.indicators.check_file_path(result["path"]): - self.log.warning( - 'Found a known suspicous file at path: "%s"', result["path"] - ) - self.detected.append(result) + if self.indicators: + ioc_match = self.indicators.check_file_path(result["path"]) + if ioc_match: + self.alertstore.critical( + f'Found a known suspicious file at path: "{result["path"]}"', + "", + result, + matched_indicator=ioc_match, + ) def backup_file(self, file_path: str) -> None: if not self.results_path: diff --git a/src/mvt/android/modules/adb/root_binaries.py b/src/mvt/android/modules/adb/root_binaries.py index 0315e23..d9d7269 100644 --- a/src/mvt/android/modules/adb/root_binaries.py +++ b/src/mvt/android/modules/adb/root_binaries.py @@ -6,9 +6,10 @@ import logging from typing import Optional -from .base import AndroidExtraction from mvt.common.module_types import ModuleResults +from .base import AndroidExtraction + class RootBinaries(AndroidExtraction): """This module extracts the list of installed packages.""" @@ -33,8 +34,11 @@ class RootBinaries(AndroidExtraction): def check_indicators(self) -> None: for root_binary in self.results: - self.detected.append(root_binary) - self.log.warning('Found root binary "%s"', root_binary) + self.alertstore.high( + f'Found root binary "{root_binary}"', + "", + root_binary, + ) def run(self) -> None: root_binaries = [ diff --git a/src/mvt/android/modules/adb/whatsapp.py b/src/mvt/android/modules/adb/whatsapp.py index 40f8875..76c1305 100644 --- a/src/mvt/android/modules/adb/whatsapp.py +++ b/src/mvt/android/modules/adb/whatsapp.py @@ -9,14 +9,14 @@ import os import sqlite3 from typing import Optional +from mvt.common.module_types import ( + ModuleAtomicResult, + ModuleResults, + ModuleSerializedResult, +) from mvt.common.utils import check_for_links, convert_unix_to_iso from .base import AndroidExtraction -from mvt.common.module_types import ( - ModuleAtomicResult, - ModuleSerializedResult, - ModuleResults, -) WHATSAPP_PATH = "data/data/com.whatsapp/databases/msgstore.db" @@ -60,8 +60,11 @@ class Whatsapp(AndroidExtraction): continue message_links = check_for_links(message["data"]) - if self.indicators.check_urls(message_links): - self.detected.append(message) + ioc_match = self.indicators.check_urls(message_links) + if ioc_match: + self.alertstore.critical( + ioc_match.message, "", message, matched_indicator=ioc_match.ioc + ) continue def _parse_db(self, db_path: str) -> None: diff --git a/src/mvt/common/module.py b/src/mvt/common/module.py index 3ce10bf..d5a7628 100644 --- a/src/mvt/common/module.py +++ b/src/mvt/common/module.py @@ -77,7 +77,6 @@ class MVTModule: self.results: ModuleResults = results if results else [] self.timeline: ModuleTimeline = [] - self.timeline_detected: ModuleTimeline = [] @classmethod def from_json(cls, json_path: str, log: logging.Logger): @@ -166,17 +165,8 @@ class MVTModule: else: self.timeline.append(record) - # for detected in self.alertstore.alerts: - # record = self.serialize(detected) - # if record: - # if isinstance(record, list): - # self.timeline_detected.extend(record) - # else: - # self.timeline_detected.append(record) - # De-duplicate timeline entries. self.timeline = self._deduplicate_timeline(self.timeline) - # self.timeline_detected = self._deduplicate_timeline(self.timeline_detected) def run(self) -> None: """Run the main module procedure."""