Indicators of Compromise (IOCs)
MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.
These indicators of compromise are contained in a file with a particular structure of JSON with the
You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:
mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup
Or, with data from an Android backup:
mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:
mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/
--iocs option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:
mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup
It is also possible to load STIX2 files automatically from the environment variable
Known repositories of STIX2 IOCs
- The Amnesty International investigations repository contains STIX-formatted IOCs for:
- This repository contains IOCs for Android stalkerware including a STIX MVT-compatible file.
You can automaticallly download the latest public indicator files with the command
mvt-ios download-iocs or
mvt-android download-iocs. These commands download the list of indicators listed here and store them in the appdir folder. They are then loaded automatically by mvt.
Please open an issue to suggest new sources of STIX-formatted IOCs.