052c4e207b
* Improves STIX2 support and testing * Adds documentation on STIX2 support in MVT --------- Co-authored-by: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
3.7 KiB
Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2 or .json extensions.
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
Or, with data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
The --iocs option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:
mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2:
export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"
STIX2 Support
So far MVT implements only a subset of STIX2 specifications:
- It only supports checks for one value (such as
[domain-name:value='DOMAIN']) and not boolean expressions over multiple comparisons - It only supports the following types:
domain-name:value,process:name,email-addr:value,file:name,file:path,file:hashes.md5,file:hashes.sha1,file:hashes.sha256,app:id,configuration-profile:id,android-property:name,url:value(but each type will only be checked by a module if it is relevant to the type of data obtained)
Known repositories of STIX2 IOCs
- The Amnesty International investigations repository contains STIX-formatted IOCs for:
- This repository contains IOCs for Android stalkerware including a STIX MVT-compatible file.
- We are also maintaining a list of IOCs in STIX format from public spyware campaigns.
You can automaticallly download the latest public indicator files with the command mvt-ios download-iocs or mvt-android download-iocs. These commands download the list of indicators from the mvt-indicators repository and store them in the appdir folder. They are then loaded automatically by MVT.
Please open an issue to suggest new sources of STIX-formatted IOCs.