Practical Steps for High Quality Threat Hunting on IOS Without a Jailbreak

Incident Response Tips

Practical Steps for High Quality Threat Hunting on iOS Without a Jailbreak

One of our customers operates a large OT-IT network. As part of Threat Hunting operations on their environment we will investigate their work phones to ensure every asset is safe from malicious activity. We want to share with you practical steps for Threat Hunting on iOS Devices.

In case we can't perform a jailbreak, we will use these practical steps to identify malicious activity:

1. Network analysis:

Here's a nice article that shows how to install a self-signed certificate to perform MITM attacks to achieve clear-text traffic.
https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/
We can use this method to check for:
- Suspicious domains that the phone is trying to access
- Top accessed domains
- Top data upload domains
- Detect sensitive data leakage (if not encrypted under the ssl)

2. Read all WhatsApp/SMS IMs, scan for malicious files, images and urls (logical acquisition is needed):

Retrieve all WhatsApp messages including media and files using "cok free itunes backup extractor"
https://www.quora.com/How-can-I-get-my-WhatsApp-messages-on-my-computer-or-desktop

3. Install sysdiagnose profile and explore the data (logical acquisition is needed):

Sysdiagnose is an iOS profile that enables developers to diagnose the OS. We can install this profile to dump valuable logs using a tool called libimobiledevice.
- Process list. Check for suspicious CLI arguments, differences between clean process list...
- List of installed applications
- Information about history of connected devices
- Uninstalled applications
Here you can find a great publication about the topic https://web.tresorit.com/l#1CbkccYS0kS51za-xo9YcQ&viewer=z0qlPKdDc9TrY9DlF8l8eWKrFOsnX5lJ

4. Extract history of wifi connections and alert about no wpa networks, so the user will avoid connecting back to them (logical acquisition is needed):

It is possible to add Geo Location of the networks on a map

5. Install "disk space diagnostic logging" profile and get all files metadata in the system (logical acquisition is needed)

6. Check for available updates:

iOS updates
Read about installed applications and their versions. Then we can notify the client about known vulnerabilities (like the last WhatsApp CVE)

7. Manually check for apps that are using too many permissions:

Like note app with "read contacts" permissions

Dor Yardeni
Head of IR & Hunting