Skip to content

Indicators of Compromise (IOCs)

MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.

These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2 or .json extensions.

You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:

mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup

Or, with data from an Android backup:

mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/

After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:

mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/

The --iocs option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:

mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup

It is also possible to load STIX2 files automatically from the environment variable MVT_STIX2:

export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"

Known repositories of STIX2 IOCs

You can automaticallly download the latest public indicator files with the command mvt-ios download-iocs or mvt-android download-iocs. These commands download the list of indicators listed here and store them in the appdir folder. They are then loaded automatically by mvt.

Please open an issue to suggest new sources of STIX-formatted IOCs.