{"id":18755794,"url":"https://github.com/kasperskylab/triangle_check","last_synced_at":"2025-04-12T21:33:53.454Z","repository":{"id":171635540,"uuid":"648156011","full_name":"KasperskyLab/triangle_check","owner":"KasperskyLab","description":null,"archived":false,"fork":false,"pushed_at":"2024-01-02T16:27:58.000Z","size":38,"stargazers_count":516,"open_issues_count":7,"forks_count":40,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-04-04T01:08:49.346Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KasperskyLab.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-01T10:31:12.000Z","updated_at":"2025-03-12T07:04:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"2422fbb5-5650-4276-b7d1-2500bbb31f32","html_url":"https://github.com/KasperskyLab/triangle_check","commit_stats":null,"previous_names":["kasperskylab/triangle_check"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Ftriangle_check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Ftriangle_check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Ftriangle_check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Ftriangle_check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KasperskyLab","download_url":"https://codeload.github.com/KasperskyLab/triangle_check/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248636650,"owners_count":21137501,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T17:33:57.743Z","updated_at":"2025-04-12T21:33:53.412Z","avatar_url":"https://github.com/KasperskyLab.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation\n\nThis script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.\n\nFor more information, please read [Securelist](https://securelist.com/trng-2023/)\n\nContact: [triangulation@kaspersky.com](mailto:triangulation@kaspersky.com)\n\n## Prerequisites\n\nThe script depends on: colorama (for pretty printing), pycryptodome\n\n## Installation\n\nThe triangle_check utility can be installed from [PyPI](https://pypi.org/project/triangle-check/) (recommended):\n\n```\npython -m pip install triangle_check\n```\n\nThe script can be run as-is (the subdirectory *triangle_check* is required):\n\n```\npython -m pip install -r requirements.txt\npython triangle_check.py \n```\n\nIt can also be built into a pip package:\n\n```\ngit clone https://github.com/KasperskyLab/triangle_check\ncd triangle_check\npython -m build\npython -m pip install dist/triangle_check-1.0-py3-none-any.whl\n```\n\nFor Windows or Linux, alternatively use the [binary builds](https://github.com/KasperskyLab/triangle_check/releases) of the triangle_check utility.  \n\n## Usage\n\n```\nUsage: python -m triangle_check /path/to/iTunes_backup [backup_password]\n```\n\n### iTunes backup location\n\nLocate the backup directory created by iTunes. The exact location depends on the OS and is described [here](https://support.apple.com/en-us/HT204215).\nThe directory you are looking for should contain many subdirectories, and should include 'Manifest.db', 'Manifest.plist'. The backup may be encrypted\nwith a password, if set up in iTunes. That password is required to decrypt password-protected backups.\n\n### Advanced: create backup with libimobiledevice\n\nYou can use the tool *idevicebackup2* that is a part of the open-source package named [libimobiledevice](https://libimobiledevice.org/). Popular Linux \ndistributions, macports and homebrew allow to install it out of the box, and the package can be built from the source code for Linux or OSX. \n\n### Scanning the backup\n\nRun the tool against the backup directory. If there are any traces of suspicious activity, the script will print out *SUSPICION* or *DETECTED* lines with\nmore information and detected IOCs, and that would mean that the device was *most likely* compromised.\n\nExample output:\n\n```\n==== IDENTIFIED TRACES OF COMPROMISE (Operation Triangulation) ====\n2022-*-* SUSPICION Suspicious combination of events: \n * file modification: Library/SMS/Attachments/ab/11\n * file attribute change: Library/SMS/Attachments/ab/11\n * location service stopped: com.apple.locationd.bundle-/System/Library/LocationBundles/WRMLinkSelection.bundle\n * file modification: Library/Preferences/com.apple.ImageIO.plist\n * file attribute change: Library/Preferences/com.apple.ImageIO.plist\n * file birth: Library/Preferences/com.apple.ImageIO.plist\n * file modification: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist\n * file attribute change: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist\n * file birth: Library/Preferences/com.apple.locationd.StatusBarIconManager.plist\n2022-*-* DETECTED Exact match by NetUsage : BackupAgent\n2022-*-* DETECTED Exact match by NetTimestamp : BackupAgent\n```\n\n## What's next?\n\nThe research on the Operation Triangulation is ongoing. For more updates, please check [Securelist](https://securelist.com/trng-2023/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkasperskylab%2Ftriangle_check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkasperskylab%2Ftriangle_check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkasperskylab%2Ftriangle_check/lists"}