From ba749a926cec4bf43920c9300922296689fdc57b Mon Sep 17 00:00:00 2001
From: tek <tek@randhome.io>
Date: Thu, 22 Jul 2021 08:47:53 +0200
Subject: [PATCH] Warning + remove false positive

---
 2021-07-18_nso/README.md     | 1 +
 2021-07-18_nso/processes.txt | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/2021-07-18_nso/README.md b/2021-07-18_nso/README.md
index 2f83cb9..263f7ca 100644
--- a/2021-07-18_nso/README.md
+++ b/2021-07-18_nso/README.md
@@ -12,5 +12,6 @@ These indicators include:
 * `v4_validation_domains.txt`: list of Pegasus Version 4 validation/URL shortener domains
 * `emails.txt`: list of iCloud accounts used for exploiting zero-click vulnerabilities in iMessage and other Apple apps
 * `files.txt`: list of suspicious files
+    * **Warning**: the `com.apple.CrashReporter.plist` file listed here can be created by Pegasus but can also be legitimately created by the system during updates. Without additional indicators, it does not confirm the infection of a iPhone.
 * `pegasus.stix2`: [STIX v2](https://oasis-open.github.io/cti-documentation/stix/intro.html) file containing IOCs that can be used with MVT
 * `processes.txt`: list of Pegasus-related process names identified on compromised phones
diff --git a/2021-07-18_nso/processes.txt b/2021-07-18_nso/processes.txt
index 81bc64e..bb9c07e 100644
--- a/2021-07-18_nso/processes.txt
+++ b/2021-07-18_nso/processes.txt
@@ -23,7 +23,6 @@ corecomnetd
 ctrlfs
 dhcp4d
 Diagnostic-2543
-Diagnosticd
 Diagnostics-2543
 eventfssd
 eventsfssd