STIX2 Files Not Fully Parsed

[FinestMaximus]

When running mvt-ios with multiple STIX2 files downloaded from OTX, only 9952 unique indicators are loaded, regardless of the number or size of the custom STIX files provided.

Upon inspecting the indicators.py script, it appears that indicators types are being parsed only if they have a relationship with a defined malware type (?)

Other important types such as reports and threat-actors are not being considered. This could lead to missing some information? I'm sure this was thought through

Steps to Reproduce

1. Download multiple STIX2 files from OTX.
2. Run the following command on those downloaded files:
   mvt-ios check-backup --iocs iocs/5fa1852d337eca8e99c2ec32.stix2 --iocs iocs/65b5c5ebba25ca46fc5b36bc.stix2 --iocs iocs/65b7e3fe91a1aceb955e54f6.stix2 --iocs iocs/65b80944a3d1c9e36346e0c1.stix2 --iocs iocs/65bbb98d9818cca8f130c195.stix2 --iocs iocs/60f05cb87f7c642309de71ef.stix2 --iocs iocs/65b5cbadc21b9891c459b9d2.stix2 --iocs iocs/65b7e3fe934ae9d391614c0d.stix2 --iocs iocs/65bbb998c3b7662e5059b6c2.stix2 --iocs iocs/657089fa03a11e13b7c6690a.stix2 --iocs iocs/65b5cbbbcb7a479db222f053.stix2 --iocs iocs/65b8028403ae53c35d48ecbf.stix2 --iocs iocs/65bbb98c440c1c45ec12ccdc.stix2 backup

Observe the output, which consistently reports "Loaded a total of 9952 unique indicators."

Expected Behavior

The number of unique indicators should vary based on the content of the STIX2 files provided. All relevant data types, including reports and threat-actors, should be parsed and included in the count of unique indicators.

Actual Behavior

The tool loads 9952 unique indicators regardless of the STIX2 files provided, indicating that some data may not be parsed or included correctly.

Suggested Fix

• Update indicators.py to parse additional STIX2 types, such as reports, threat-actors, and any other relevant types that might contain valuable indicators or context.
• Consider adding an option or flag to allow users to include or exclude specific STIX2 types during parsing.

Environment

MVT Version: 2.5.4
OS: WSL2
STIX2 Files: Files from OTX eg. https://otx.alienvault.com/pulse/65b5cbbbcb7a479db222f053

[Te-k]

Hi,
Indeed, this is true. MVT only support a subset of the STIX2 format, which means it only parses and uses indicators with one value only (it doesn't support boolean expressions in indicators) and only the following types (see here:

• domain-name:value
• process:name
• email-addr:value
• file:name
• file:path
• file:hashes.sha256
• app:id
• configuration-profile:id
• android-property:name

It means that many types in STIX2 files may not be parsed by MVT, but only because MVT would do nothing with them. Like we have no interest of parsing threat actors or reports as MVT wouldn't use them anyway.

(Also fyi the OTX pulse you mention seems to contains IOCs way beyond Pegasus, I am not sure where these IOCs come from)

[Te-k]

I have opened a ticket to improve STIX2 support and documentation of it #522 so I am closing this one, feel free to suggest some improvements in this ticket