You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If there are traces of C2 communication on my device, I want to be alerted.
Whether I've manually inserted those traces or not.
MVT-Tool is flagging those events as suspicious, and they have a disclaimer in their README stating "This is not intended for end-user self-assessment", so no one is blindly using a single suspicious event from MVT-Tool and proclaiming infection.
Now, let's get to the part where MVT-Tool reports differ based on connectivity.
iOS is a very closed OS and researchers are limited in what data they can extract, and even more limited in terms of configuration. It appears that Safari history does not track all redirects for a URL, but it simply logs the end URL. Most likely this behavior can't be configured and no additional data is available.
Because of this, you are suggesting there could be FPs? Why would that be?
It looks to me as if we are dealing with potential FNs rather than FPs.
If a payload uses the redirected URL on a device with connectivity, no malicious event would be logged in Safari history. This is a potential FN, luckily there are many other IOCs provided by MVT-Tool that can be used to determine an infection verdict.
> MVT-Tool is not using logic to make conclusions of a pegasus infection
Yes, this has been already told to you multiple times.
Forensic tools are used as supporting tools during analyses. No one is claiming this tool alone will tell you have been infected or not.
It's in the first line of their README:
> Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
You're not understanding...or pretending not to understand...how this is potential false negative not false positive. How you're coming to the conclusion that an IOS device attempting to communicate with a C2 is actually a false positive is beyond me. The tool makes no such verdict; but if your device is trying to reach out to C2 servers you got some serious potential issues. It is not a sign that everything is fine.
The text was updated successfully, but these errors were encountered:
I will mostly just quote @abashinfetion here:
You're not understanding...or pretending not to understand...how this is potential false negative not false positive. How you're coming to the conclusion that an IOS device attempting to communicate with a C2 is actually a false positive is beyond me. The tool makes no such verdict; but if your device is trying to reach out to C2 servers you got some serious potential issues. It is not a sign that everything is fine.
The text was updated successfully, but these errors were encountered: