Skip to content

Indicators of Compromise (IOCs)

MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.

These indicators of compromise are contained in a file with a particular structure of JSON with the .stix2 or .json extensions.

You can indicate a path to a STIX2 indicators file when checking iPhone backups or filesystem dumps. For example:

mvt-ios check-backup --iocs ~/ios/malware.stix2 --output /path/to/iphone/output /path/to/backup

Or, with data from an Android backup:

mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/

After extracting forensics data from a device, you are also able to compare it with any STIX2 file you indicate:

mvt-ios check-iocs --iocs ~/iocs/malware.stix2 /path/to/iphone/output/

The --iocs option can be invoked multiple times to let MVT import multiple STIX2 files at once. For example:

mvt-ios check-backup --iocs ~/iocs/malware1.stix --iocs ~/iocs/malware2.stix2 /path/to/backup

Known repositories of STIX2 IOCs

Please open an issue to suggest new sources of STIX-formatted IOCs.