kasperskylab / triangle_check Goto Github PK

View Code? Open in Web Editor NEW

504.0 14.0 38.0 38 KB

License: MIT License

Python 100.00%

triangle_check's Introduction

Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation

This script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.

For more information, please read Securelist

Contact: [email protected]

Prerequisites

The script depends on: colorama (for pretty printing), pycryptodome

Installation

The triangle_check utility can be installed from PyPI (recommended):

python -m pip install triangle_check

The script can be run as-is (the subdirectory triangle_check is required):

python -m pip install -r requirements.txt
python triangle_check.py

It can also be built into a pip package:

git clone https://github.com/KasperskyLab/triangle_check
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl

For Windows or Linux, alternatively use the binary builds of the triangle_check utility.

Usage

Usage: python -m triangle_check /path/to/iTunes_backup [backup_password]

iTunes backup location

Locate the backup directory created by iTunes. The exact location depends on the OS and is described here. The directory you are looking for should contain many subdirectories, and should include 'Manifest.db', 'Manifest.plist'. The backup may be encrypted with a password, if set up in iTunes. That password is required to decrypt password-protected backups.

Advanced: create backup with libimobiledevice

You can use the tool idevicebackup2 that is a part of the open-source package named libimobiledevice. Popular Linux distributions, macports and homebrew allow to install it out of the box, and the package can be built from the source code for Linux or OSX.

Scanning the backup

Run the tool against the backup directory. If there are any traces of suspicious activity, the script will print out SUSPICION or DETECTED lines with more information and detected IOCs, and that would mean that the device was most likely compromised.

Example output:

==== IDENTIFIED TRACES OF COMPROMISE (Operation Triangulation) ====
2022-*-* SUSPICION Suspicious combination of events: 
 * file modification: Library/SMS/Attachments/ab/11
 * file attribute change: Library/SMS/Attachments/ab/11
 * location service stopped: com.apple.locationd.bundle-/System/Library/LocationBundles/WRMLinkSelection.bundle
 * file modification: Library/Preferences/com.apple.ImageIO.plist
 * file attribute change: Library/Preferences/com.apple.ImageIO.plist
 * file birth: Library/Preferences/com.apple.ImageIO.plist
 * file modification: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
 * file attribute change: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
 * file birth: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist
2022-*-* DETECTED Exact match by NetUsage : BackupAgent
2022-*-* DETECTED Exact match by NetTimestamp : BackupAgent

What's next?

The research on the Operation Triangulation is ongoing. For more updates, please check Securelist

triangle_check's People

Contributors

Stargazers

Watchers

triangle_check's Issues

Issue using iCloud based backups

When running the tool against iCloud backup extractions from Elcomsoft Phone Breaker, error occurs.

Traceback (most recent call last):
File "C:\Users\Richard\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in run_module_as_main
return run_code(code, main_globals, None,
File "C:\Users\Richard\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Users\Richard\AppData\Local\Programs\Python\Python310\Scripts\triangle_check.exe_main.py", line 7, in
File "C:\Users\Richard\AppData\Local\Programs\Python\Python310\lib\site-packages\triangle_check_main.py", line 29, in main
results = checker.scan_dir(dir, password, ask_password)
File "C:\Users\Richard\AppData\Local\Programs\Python\Python310\lib\site-packages\triangle_check_init.py", line 203, in scan_dir
fs_stat = fs_info['$objects'][1]
KeyError: '$objects'

Output from Elcomsoft is an iTunes backup structure with the requisite Manifest.plist and other files.

Please release the utility for macOS

Please make a release of this utility for macOS.

Check fails with error: KeyError: 'netUsageBaseline'

Running against an iPadOS 16.5 encrypted backup, triangle_check fails because osanalytics does not have a 'netUsageBaseline'.

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/triangle_check/__main__.py", line 49, in <module>
    main()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/triangle_check/__main__.py", line 29, in main
    results = checker.scan_dir(dir, password, ask_password)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/triangle_check/__init__.py", line 216, in scan_dir
    baseline = osanalytics['netUsageBaseline']
KeyError: 'netUsageBaseline'

Fails with error: TypeError: cannot unpack non-iterable NoneType object

The tool fails soon after starting. Seems that cur.fetchone() in decrypt_with_manifest is returning None.

The error message is:

Traceback (most recent call last):
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/site-packages/triangle_check/__main__.py", line 49, in <module>
    main()
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/site-packages/triangle_check/__main__.py", line 29, in main
    results = checker.scan_dir(dir, password, ask_password)
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/site-packages/triangle_check/__init__.py", line 208, in scan_dir
    path_osanalytics = self.decrypt_with_manifest('Library/Preferences/com.apple.osanalytics.addaily.plist', 'HomeDomain')
  File "/Users/leka/.local/share/rtx/installs/python/3.9.16/lib/python3.9/site-packages/triangle_check/__init__.py", line 69, in decrypt_with_manifest
    fileID, plist = cur.fetchone()
TypeError: cannot unpack non-iterable NoneType object

I am running the tool with rtx-installed python on the latest version of MacOS. The provided error message was produced using python 3.9.16, but I've also tried with python 3.11.2 with the same result.

Also I'm running the tool from my home directory, with the full path to backup directory as a parameter (I've verified that I have the Manifest.db and Manifest.plist, among other things, within the backup directory). The backup is encrypted and I've tried with both interactively providing the password as well as providing it as an argument - no changes here either.

pip packages names should not use underscores

I just wanted to let people know that it would be better not to use an underscore in the module name.
They are discouraged in PEP8.

PIP transforms underscore into dash
pip list displays triangle-check

Some people, knowing this, are likely to try to use it like this:
python -m triangle-check path\to\backup
intead of
python -m triangle_check path\to\backup