Practical Steps for High Quality Threat Hunting on iOS Without a Jailbreak
One of our customers operates a large OT-IT network. As part of Threat Hunting operations on their environment we will investigate their work phones to ensure every asset is safe from malicious activity. We want to share with you practical steps for Threat Hunting on iOS Devices.
In case we can't perform a jailbreak, we will use these practical steps to identify malicious activity:
1. Network analysis:
2. Read all WhatsApp/SMS IMs, scan for malicious files, images and urls (logical acquisition is needed):
3. Install sysdiagnose profile and explore the data (logical acquisition is needed):
4. Extract history of wifi connections and alert about no wpa networks, so the user will avoid connecting back to them (logical acquisition is needed):
5. Install "disk space diagnostic logging" profile and get all files metadata in the system (logical acquisition is needed)
6. Check for available updates:
7. Manually check for apps that are using too many permissions:
Dor Yardeni
Head of IR & Hunting