diff --git a/src/mvt/android/utils.py b/src/mvt/android/utils.py index 689c048..5032ccf 100644 --- a/src/mvt/android/utils.py +++ b/src/mvt/android/utils.py @@ -6,14 +6,13 @@ from datetime import datetime, timedelta from typing import List -def warn_android_patch_level(patch_level: str, log) -> str: +def warn_android_patch_level(patch_level: str, log) -> str | bool: """Alert if Android patch level out-of-date""" patch_date = datetime.strptime(patch_level, "%Y-%m-%d") if (datetime.now() - patch_date) > timedelta(days=6 * 31): warning_message = ( f"This phone has not received security updates " - f"for more than six months (last update: {patch_level}).", - patch_level, + f"for more than six months (last update: {patch_level})." ) return warning_message diff --git a/src/mvt/common/command.py b/src/mvt/common/command.py index 7423157..e796391 100644 --- a/src/mvt/common/command.py +++ b/src/mvt/common/command.py @@ -8,7 +8,7 @@ import logging import os import sys from datetime import datetime -from typing import Optional +from typing import Any, Optional from rich.console import Console from rich.panel import Panel @@ -43,7 +43,7 @@ class Command: disable_indicator_check: bool = False, ) -> None: self.name = "" - self.modules = [] + self.modules: list[Any] = [] self.target_path = target_path self.results_path = results_path @@ -62,10 +62,10 @@ class Command: # This list will contain all executed modules. # We can use this to reference e.g. self.executed[0].results. - self.executed = [] + self.executed: list[Any] = [] self.hashes = hashes - self.hash_values = [] - self.timeline = [] + self.hash_values: list[dict[str, Any]] = [] + self.timeline: list[dict[str, Any]] = [] # Load IOCs self._create_storage() @@ -158,7 +158,7 @@ class Command: if self.target_path: target_path = os.path.abspath(self.target_path) - info = { + info: dict[str, Any] = { "target_path": target_path, "mvt_version": MVT_VERSION, "date": convert_datetime_to_iso(datetime.now()), diff --git a/src/mvt/ios/modules/mixed/global_preferences.py b/src/mvt/ios/modules/mixed/global_preferences.py index a2d70aa..9f11db9 100644 --- a/src/mvt/ios/modules/mixed/global_preferences.py +++ b/src/mvt/ios/modules/mixed/global_preferences.py @@ -42,14 +42,9 @@ class GlobalPreferences(IOSExtraction): for entry in self.results: if entry["entry"] == "LDMGlobalEnabled": if entry["value"]: - self.alertstore.info( - self.get_slug(), "Lockdown mode enabled", "", None - ) + self.alertstore.info("Lockdown mode enabled", "", None) else: - self.alertstore.low( - self.get_slug(), "Lockdown mode disabled", "", None - ) - self.alertstore.log_latest() + self.alertstore.low("Lockdown mode disabled", "", None) continue def process_file(self, file_path: str) -> None: diff --git a/src/mvt/ios/modules/mixed/tcc.py b/src/mvt/ios/modules/mixed/tcc.py index b991e30..b0c54d4 100644 --- a/src/mvt/ios/modules/mixed/tcc.py +++ b/src/mvt/ios/modules/mixed/tcc.py @@ -7,12 +7,12 @@ import logging import sqlite3 from typing import Optional -from mvt.common.utils import convert_unix_to_iso from mvt.common.module_types import ( ModuleAtomicResult, - ModuleSerializedResult, ModuleResults, + ModuleSerializedResult, ) +from mvt.common.utils import convert_unix_to_iso from ..base import IOSExtraction @@ -96,8 +96,9 @@ class TCC(IOSExtraction): for result in self.results: ioc_match = self.indicators.check_process(result["client"]) if ioc_match: - result["matched_indicator"] = ioc_match.ioc - self.alertstore.critical(self.get_slug(), ioc_match.message, "", result) + self.alertstore.critical( + ioc_match.message, "", result, matched_indicator=ioc_match.ioc + ) def process_db(self, file_path): conn = self._open_sqlite_db(file_path) diff --git a/tests/android/test_artifact_dumpsys_appops.py b/tests/android/test_artifact_dumpsys_appops.py index 8d59365..862b872 100644 --- a/tests/android/test_artifact_dumpsys_appops.py +++ b/tests/android/test_artifact_dumpsys_appops.py @@ -48,7 +48,7 @@ class TestDumpsysAppopsArtifact: detected_by_ioc = [ alert for alert in da.alertstore.alerts - if "matched_indicator" in alert.event + if alert.matched_indicator is not None ] detected_by_permission_heuristic = [ alert @@ -62,4 +62,5 @@ class TestDumpsysAppopsArtifact: ] assert len(da.alertstore.alerts) == 3 assert len(detected_by_ioc) == 1 + assert detected_by_ioc[0].matched_indicator is not None assert len(detected_by_permission_heuristic) == 2 diff --git a/tests/android_androidqf/test_packages.py b/tests/android_androidqf/test_packages.py index 129cb35..ae0ae62 100644 --- a/tests/android_androidqf/test_packages.py +++ b/tests/android_androidqf/test_packages.py @@ -89,10 +89,7 @@ class TestAndroidqfPackages: ] assert len(possible_detected_app) == 1 assert possible_detected_app[0].event["name"] == "com.malware.blah" - assert ( - possible_detected_app[0].event["matched_indicator"].value - == "com.malware.blah" - ) + assert possible_detected_app[0].matched_indicator.value == "com.malware.blah" def test_packages_ioc_sha256(self, module, indicators_factory): module.indicators = indicators_factory( @@ -111,7 +108,7 @@ class TestAndroidqfPackages: assert len(possible_detected_app) == 1 assert possible_detected_app[0].event["name"] == "com.malware.muahaha" assert ( - possible_detected_app[0].event["matched_indicator"].value + possible_detected_app[0].matched_indicator.value == "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa" ) @@ -132,6 +129,6 @@ class TestAndroidqfPackages: assert len(possible_detected_app) == 1 assert possible_detected_app[0].event["name"] == "com.malware.muahaha" assert ( - possible_detected_app[0].event["matched_indicator"].value + possible_detected_app[0].matched_indicator.value == "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730" )