Check for Pegasus on iOS

Investigating Pegasus on iOS

Create an encrypted backup using Finder.
Install MVT by running pip3 install mvt.
Decrypt the encrypted backup:

cd /Users/Steh/Library/Application Support/MobileSync
mvt-ios decrypt-backup Backup --destination Backup-dec`

Download the detection file from: AmnestyTech Investigations Repository
Verify the backup:

mvt-ios check-backup Backup-dec -o ioc_output -i pegasus.stix2 cytrox.stix2

References

You may also enjoy

Splunk

Mastering Field Extraction in Splunk: Quick Guide

Learn how to configure and test field extractions in Splunk using regex in transforms.conf and props.conf.

Mastering the Tstats Command in Splunk

Learn how to leverage the powerful Tstats command in Splunk 9.2.1 for optimized data analysis and improved search performance.