Custom detections and MVT community of interest

[loudmoat]

Hello,

I am running into a couple of issues, perhaps somebody else has gone through something similar and can share insights?

1. I created custom detections in a stix2 file, but mvt-ios doesn't detect them. In order to be sure, I created detections for indicators like cnn.com, wa.me, bit.ly, source phone numbers that should match, and custom text. I defined the first set separately as domain, url, and hostname, hoping that at least one would match, but none did.
2. The mvt-ios output produced the line "WARNING [mvt.ios.cli] The analysis of the backup produced 1 detections!" however there is no reference to this in the output directory. The command.log file does not contain that line, and there is no reference to any detection in the json files generated in the output directory.

On a related note, is there an MVT community of interest where users can discuss and help each other out? I didn't see one on Discord, Reddit, or Slack.

Thanks!

[Te-k]

Hi,

1. Not all STIX2 indicators types are implemented (phone numbers for instance are not so far) and not all module implements a detection (the iOS Calls module for instance doesn't). You can find the list of STIX2 indicator types implemented in the _process_indicators function (some of them are not standard)
2. Detections are made by module based on IOCs or suspicious patterns. When a module identifies a malicious entry, it should highlight it with a warning in the console, and, if results are dumped in a folder, add the detection to a file ending by _detected.json. Have you seen another warning in the console? Is there any file ending by _detected.json in the result folder?

No, there is no Discord, Reddit or Slack for the MVT commnity

[loudmoat]

Hi Te-k, thanks, that makes sense.

About the detections, there were no files ending with _detected.json and the other warning was only cosmetic:
WARNING [mvt.ios.modules.backup.backup_info] This phone is running an outdated iOS version: 16.1 (latest is 16.0)

But you have given me good pointers to work with, I'll tinker some more.

Cheers!

[Te-k]

Thanks, I just added iOS 16.1 to the list of versions so this warning shouldn't happen again.

[loudmoat]

Thanks, these are some hardware versions I have seen that you might want to add to the versions.py file:

iPhone14,8 : iPhone 14 Plus
iPhone15,2 : iPhone 14 Pro
iPhone15,3 : iPhone 14 Pro Max

[Te-k]

Thanks, I just added these to the list of devices

[loudmoat]

Hi @Te-k,

Two questions, one related to custom detections:

1. What are you using to generate the stix2 IOC files that show in the MVT repo?

I used MISP and exported as stix2, but the syntax is different, for example the stix2 file in the MVT repo uses:
"pattern": "[file:name='filename.plist']",

whereas the stix2 file exported from MISP uses:
"objects": {
"0": {
"type": "file",
"name": "filename.plist"
}
},

Something similar for email, the stix2 files that MVT pulls use the syntax:
"pattern": "[email-addr:value='[email protected]']",

whereas the MISP export uses:
"objects": {
"0": {
"type": "email-addr",
"value": "[email protected]"
}
},

Building a stix2 file manually to match the syntax of the stix2 files in the MVT repo works fine, but it is very time consuming and doesn’t scale for more than a handful of indicators.

2. Detections for all modules that have triggered for me so far are self explanatory, for example manifest, safari_browser_state, safari_history, and timeline. The detection for webkit_resource_load_statistics however is less clear: how can I cross-reference the information that shows up in that detection?

For example this detection from the webkit_resource_load_statistics_detected.json file:

"AppDomain-com.apple.mobilesafari/Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db": [
{
"domain_id": 2937,
"registrable_domain": "refog.com",
"last_seen": 0.0,
"had_user_interaction": true,
"last_seen_isodate": "1970-01-01 00:00:00.000000",
"matched_indicator": {
"value": "refog.com",
"type": "domains",
"name": "Hoverwatch",
"stix2_file_name": "raw.githubusercontent.com_AssoEchap_stalkerware-indicators_master_generated_stalkerware.stix2"
}
},

Is there additional detail that this detection generates that I can use to find out what called webkit to load the domain?

Thanks,

[Te-k]

Hi,
Apologies for the delay.

1. We use python scripts such as this one.
2. The WebKit ResourceLoadStatistics observations.db provides information on domains names contacted by apps. In that case it seems that an domain that belong to a stalkerware app named Hoverwatch was contacted by an app.

I hope it helps