Giter Site home page Giter Site logo

investigations's Introduction

Investigations

This repository contains indicators of compromise extracted from some of Amnesty International's technical investigations in targeted threats against human rights defenders.

These indicators are shared under the license CC-BY.

investigations's People

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

investigations's Issues

Generating a complete list of all NSO Owned Domains for your trusted ad-blocker

I use the following to generate a complete ad-block list from this amazing repository.

  1. Clone the repo
  2. cd investigations
  3. cat */*domains.txt | sort | uniq | tee amensty_nso_domain_list.txt

Now you can add amensty_nso_domain_list.txt to your trusted ad-blocker.

On a sidenote, we should possibly run this on every commit, so the request to the Amnesty team would be to see if this can configure as a job to keep either this/other repo updated with the latest list always ?

False Indication of Pegasus

For Pegasus detection (pegasus.stix2) the scan considers the mere presence of Library/Preferences/com.apple.CrashReporter.plist to be an indication of infection. This raises a false flag on any iPhone used for normal iOS development. You're looking for

	<key>ShouldSubmit</key>
	<false/>

in the contents of that file as a more accurate indicator of Pegasus infection. If the above is

	<key>ShouldSubmit</key>
	<true/>  

that is normal for any iOS developer's iPhone.

Resources for Aid

Hi,

I found this repository from the Wikipedia article on Pegasus.

Could you direct where to look for aid if experiencing brazen and advanced device compromise of unknown nature?

Thank you. I am in the USA myself.

SHA Sum to verify the cloned repo with the list of domain names.

Hey devs,

Amazing work with the repo. Provides a first step release to many of us.

I was wondering if you could also commit the SHA-SUM of the domain and email list for us to verify the state of the repo downloaded. Just adds another layer of verification for some of us.

MVT with STIX

Would you mind adding an indication how to pass the stix file to MVT command ?
It's not clear from MVT documentation how to do so.

Feature Request - Publish an aggregated list of all malicious/suspicious domains

I use pihole to filter dns requests on my network & I was wondering if it was possible to publish a publicly available maintained list of all the domains discovered across all published investigations.
Currently I pull the domain lists using the raw.githubusercontent link to each domain.txt file in every repository which works, but it would be convenient to only have to use one list containing all discovered domains that was periodically updated as new investigations were published.

Thank you for the consideration!

Report paths of the process names

Hi, is there a chance to list not only the process names but the full path of them? That'd allow the detection of pegasus on running devices.

Thanks!

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte

Hello Team:

I'm using the command (Mac Terminal)
mvt-ios check-backup -o /Output -i /pegasus.stix2 /Backup

and I'm receive this error. Is possible to help? After the command my output folder is empty.

Just by a suggestion if you can better detail the process and expected information of "Records extracted"
My Error:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte

Traceback (most recent call last):
File "/usr/local/bin/mvt-ios", line 8, in
sys.exit(cli())
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1062, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 763, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/mvt/ios/cli.py", line 86, in check_backup
indicators = Indicators(iocs)
File "/usr/local/lib/python3.9/site-packages/mvt/common/indicators.py", line 19, in init
self.data = json.load(handle)
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte

Isolated instances of com.apple.CrashReporter.plist

I'm assuming instances of com.apple.CrashReporter.plist in isolation isn't something to be too concerned about (using mtv-project and pegasus.stix2 indicators). Is it worth highlighting this in the output?

2013-11-24 07:45:56.000000,Manifest,M--B,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain
2019-08-12 18:21:19.000000,Manifest,--C-,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain

Error in SHA256 hash

Hi,

The hash a890c88b6c64371242b4047830b9189b4546536c6b11576d0738f0ba1840ade is 63 character long, it's missing one character for a SHA256 hash.

Could you please fix it?

Thank you,
Ariel

How to delist a domain?

Hi! I am a web developer and I need your help for a domain exclusion from you investigation domains list.

I found this project because an issue with a client's website that was blocked by ESET antivirus. Why? Because, they say that until my client's domain (posta.news) is on the list, they will not be able to white list that domain.

I have made a lot of changes, cleaning and scans; my client's website is clean, it is a simple news wordpress website; maybe some day in the past was dirty but it was not our intention. By the way, if you see and can provide me more info about where or what is in our website code, please let me know.

We really need your help, thanks in advance!

Regards!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.