Skip to main content

Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation

Project description

Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation

This script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.

For more information, please read Securelist

Contact: triangulation@kaspersky.com

Prerequisites

The script depends on: colorama (for pretty printing), pycryptodome

Installation

The triangle_check utility can be installed from PyPI (recommended):

python -m pip install triangle_check

The script can be run as-is (the subdirectory triangle_check is required):

python -m pip install -r requirements.txt
python triangle_check.py 

It can also be built into a pip package:

git clone https://github.com/KasperskyLab/triangle_check
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl

For Windows or Linux, alternatively use the binary builds of the triangle_check utility.

Usage

Usage: python -m triangle_check /path/to/iTunes_backup [backup_password]

iTunes backup location

Locate the backup directory created by iTunes. The exact location depends on the OS and is described here. The directory you are looking for should contain may subdirectories, and should include 'Manifest.db', 'Manifest.plist'. The backup may be encrypted with a password, if set up in iTunes. That password is required to decrypt password-protected backups.

Advanced: create backup with libimobiledevice

You can use the tool idevicebackup2 that is a part of the open-source package named libimobiledevice. Popular Linux distributions, macports and homebrew allow to install it out of the box, and the package can be built from the source code for Linux or OSX.

Scanning the backup

Run the tool against the backup directory. If there are any traces of suspicious activity, the script will print out SUSPICION or DETECTED lines with more information and detected IOCs, and that would mean that the device was most likely compromised.

Example output:

==== IDENTIFIED TRACES OF COMPROMISE (Operation Triangulation) ====
2022-*-* SUSPICION Suspicious combination of events: 
 * file modification: Library/SMS/Attachments/ab/11
 * file attribute change: Library/SMS/Attachments/ab/11
 * location service stopped: com.apple.locationd.bundle-/System/Library/LocationBundles/WRMLinkSelection.bundle
 * file modification: Library/Preferences/com.apple.ImageIO.plist
 * file attribute change: Library/Preferences/com.apple.ImageIO.plist
 * file birth: Library/Preferences/com.apple.ImageIO.plist
 * file modification: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
 * file attribute change: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
 * file birth: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
2022-*-* DETECTED Exact match by NetUsage : BackupAgent
2022-*-* DETECTED Exact match by NetTimestamp : BackupAgent

What's next?

The research on the Operation Triangulation is ongoing. For more updates, please check Securelist

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

triangle_check-1.1.tar.gz (26.7 kB view details)

Uploaded Source

Built Distribution

triangle_check-1.1-py3-none-any.whl (27.2 kB view details)

Uploaded Python 3

File details

Details for the file triangle_check-1.1.tar.gz.

File metadata

  • Download URL: triangle_check-1.1.tar.gz
  • Upload date:
  • Size: 26.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.6

File hashes

Hashes for triangle_check-1.1.tar.gz
Algorithm Hash digest
SHA256 389958817c3105a6836c1183ba1cd127835161c8312f92d141facc79301a885a
MD5 216947fe7a7b1c25e260d1d5f890a243
BLAKE2b-256 fc9cad5acd76a9041210cb848c17242424c4198286175f0efe973f8747fd8904

See more details on using hashes here.

File details

Details for the file triangle_check-1.1-py3-none-any.whl.

File metadata

  • Download URL: triangle_check-1.1-py3-none-any.whl
  • Upload date:
  • Size: 27.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.6

File hashes

Hashes for triangle_check-1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 dba40eeda390b077a3440b2f984ebe77da912f131e26fb932d7ae403f9d9cf12
MD5 ecdfe05376cdcd2585e797c200d426bc
BLAKE2b-256 b543de822329f67dba3a5bb1e2547f3ebd986e842020043898c5ab775dd0b914

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page