This repository contains indicators of compromise extracted from some of Amnesty International's technical investigations in targeted threats against human rights defenders.
These indicators are shared under the license CC-BY.
Indicators from Amnesty International's investigations
Home Page: https://amnesty.tech
This repository contains indicators of compromise extracted from some of Amnesty International's technical investigations in targeted threats against human rights defenders.
These indicators are shared under the license CC-BY.
I use the following to generate a complete ad-block list from this amazing repository.
cd investigations
cat */*domains.txt | sort | uniq | tee amensty_nso_domain_list.txt
Now you can add amensty_nso_domain_list.txt
to your trusted ad-blocker.
On a sidenote, we should possibly run this on every commit, so the request to the Amnesty team would be to see if this can configure as a job to keep either this/other repo updated with the latest list always ?
For Pegasus detection (pegasus.stix2) the scan considers the mere presence of Library/Preferences/com.apple.CrashReporter.plist to be an indication of infection. This raises a false flag on any iPhone used for normal iOS development. You're looking for
<key>ShouldSubmit</key>
<false/>
in the contents of that file as a more accurate indicator of Pegasus infection. If the above is
<key>ShouldSubmit</key>
<true/>
that is normal for any iOS developer's iPhone.
Hi,
I found this repository from the Wikipedia article on Pegasus.
Could you direct where to look for aid if experiencing brazen and advanced device compromise of unknown nature?
Thank you. I am in the USA myself.
Hey devs,
Amazing work with the repo. Provides a first step release to many of us.
I was wondering if you could also commit the SHA-SUM of the domain and email list for us to verify the state of the repo downloaded. Just adds another layer of verification for some of us.
Would you mind adding an indication how to pass the stix file to MVT command ?
It's not clear from MVT documentation how to do so.
I use pihole to filter dns requests on my network & I was wondering if it was possible to publish a publicly available maintained list of all the domains discovered across all published investigations.
Currently I pull the domain lists using the raw.githubusercontent link to each domain.txt file in every repository which works, but it would be convenient to only have to use one list containing all discovered domains that was periodically updated as new investigations were published.
Thank you for the consideration!
Hi, is there a chance to list not only the process names but the full path of them? That'd allow the detection of pegasus on running devices.
Thanks!
Hello Team:
I'm using the command (Mac Terminal)
mvt-ios check-backup -o /Output -i /pegasus.stix2 /Backup
and I'm receive this error. Is possible to help? After the command my output folder is empty.
Just by a suggestion if you can better detail the process and expected information of "Records extracted"
My Error:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte
Traceback (most recent call last):
File "/usr/local/bin/mvt-ios", line 8, in
sys.exit(cli())
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1137, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1062, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.9/site-packages/click/core.py", line 763, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/mvt/ios/cli.py", line 86, in check_backup
indicators = Indicators(iocs)
File "/usr/local/lib/python3.9/site-packages/mvt/common/indicators.py", line 19, in init
self.data = json.load(handle)
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/local/Cellar/[email protected]/3.9.6/Frameworks/Python.framework/Versions/3.9/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd1 in position 8: invalid continuation byte
This repository has no LICENSE file.
What are the IOCs licensed under?
I would like to add them to my FOSS real-time malware scanner app, Hypatia:
https://github.com/divested-mobile/hypatia
I'm assuming instances of com.apple.CrashReporter.plist
in isolation isn't something to be too concerned about (using mtv-project
and pegasus.stix2
indicators). Is it worth highlighting this in the output?
2013-11-24 07:45:56.000000,Manifest,M--B,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain
2019-08-12 18:21:19.000000,Manifest,--C-,Library/Preferences/com.apple.CrashReporter.plist - HomeDomain
Hi,
The hash a890c88b6c64371242b4047830b9189b4546536c6b11576d0738f0ba1840ade is 63 character long, it's missing one character for a SHA256 hash.
Could you please fix it?
Thank you,
Ariel
Reposted by https://twitter.com/haxrob
The Chinese APT contractor leak contained a few interesting files; namely:
Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.
Hi! I am a web developer and I need your help for a domain exclusion from you investigation domains list.
I found this project because an issue with a client's website that was blocked by ESET antivirus. Why? Because, they say that until my client's domain (posta.news) is on the list, they will not be able to white list that domain.
I have made a lot of changes, cleaning and scans; my client's website is clean, it is a simple news wordpress website; maybe some day in the past was dirty but it was not our intention. By the way, if you see and can provide me more info about where or what is in our website code, please let me know.
We really need your help, thanks in advance!
Regards!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.