Incident Response Tips

Practical Steps for High Quality Threat Hunting on iOS Without a Jailbreak

One of our customers operates a large OT-IT network. As part of Threat Hunting operations on their environment we will investigate their work phones to ensure every asset is safe from malicious activity. We want to share with you practical steps for Threat Hunting on iOS Devices.

In case we can't perform a jailbreak, we will use these practical steps to identify malicious activity:

1. Network analysis:


2. Read all WhatsApp/SMS IMs, scan for malicious files, images and urls (logical acquisition is needed):  

3. Install sysdiagnose profile and explore the data (logical acquisition is needed):

  • Sysdiagnose is an iOS profile that enables developers to diagnose the OS. We can install this profile to dump valuable logs using a tool called libimobiledevice.
    • Process list. Check for suspicious CLI arguments, differences between clean process list...
    • List of installed applications
    • Information about history of connected devices
    • Uninstalled applications
  • Here you can find a great publication about the topic https://web.tresorit.com/l#1CbkccYS0kS51za-xo9YcQ&viewer=z0qlPKdDc9TrY9DlF8l8eWKrFOsnX5lJ

4. Extract history of wifi connections and alert about no wpa networks, so the user will avoid connecting back to them (logical acquisition is needed):

  • It is possible to add Geo Location of the networks on a map

5. Install "disk space diagnostic logging" profile and get all files metadata in the system (logical acquisition is needed)

6. Check for available updates:

  • iOS updates
  • Read about installed applications and their versions. Then we can notify the client about known vulnerabilities (like the last WhatsApp CVE)

7. Manually check for apps that are using too many permissions:

  • Like note app with "read contacts" permissions

 

Dor Yardeni
Head of IR & Hunting

 

loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue