EDITORIAL Team

Managing Editor

Bartłomiej Adach
[email protected]

Proofreaders & Betatesters

Lee McKenzie, Bernhard Waldecker, Tom Updegrove, Avi Benchimol, Girshel

Chokhonelidze, Laszlo Acs, Olivier Caleff, Craig Thornton, Da Co, Matthew Sabin


Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their
assistance there would not be a PenTest Magazine.

Senior Consultant/Publisher

Paweł Marciniak

CEO

Joanna Kretowicz

[email protected]
DTP

Bartłomiej Adach

[email protected]

COVER DESIGN

Hiep Nguyen Duc

PUBLISHER
Hakin9 Media Sp. z o.o.

02-511 Warszawa

ul. Bielawska 6/19 

Phone: 1 917 338 3631 
www.pentestmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.

1
Dear PenTest Readers,

Mobile devices and applications have dominated our lives. As the global population becomes highly dependent on using
pocket-sized technologies in plenty of aspects of its everyday functioning, the demand for skilled mobile pentesters and
other security specialists is growing steadily. A good knowledge of the topic is simply a must, and that’s why we decided
to enrich our library with an edition dedicated to mobile pentesting this month.

The opening article of the issue, written by our regular contributor Staford Titus, presents how to build your custom
malware for the Android operating system. Obviously, for ethical usage only!

Next, you will read a comprehensive presentation of tools and techniques for mobile security assessment. You will learn
how to set up Android Studio, how to run and use a virtual device, how to perform log analysis of Android apps using
Logcat, using the Drozer console for dynamic and static analysis, and many more! As the author, Sandeep Kumar Singh,
states in the conclusion - the presented techniques aren’t limited to just Android. A great read for every mobile security
enthusiast.

Our contributors didn’t forget about those who work on iOS. Teo Kok Sang will show you how to prevent iOS mobile
apps from being debugged - in a secure way. A very powerful reverse engineering technique of exploring applications
using a debugger awaits to become your acquaintance!

William Tan contributes with a scenario in which he included a Metasploit payload, to show you a great example of
understanding and overcoming anti-malware defences.

The last (but not least!) article dedicated to the main topic in this edition, written by Antonio Scibilia, deals with HTTPS
traffic interception in Android environments, with a focus on dynamic analysis with the Frida GUI tool. A fantastic,
practical read for everyone!

If you’re into other offensive security topics, our authors bring to the table a really interesting choice of content for various
tools, techniques, and case studies. Filipi Pires presents another interesting case study - this time on a false positive in a
threat hunting context. Pablo Gonzalez Perez and Fran Ramirez help you discover other advantages of their amazing tool,
ATTPwn - perhaps some of you might have got to know it in previous editions. This month you will learn how to integrate
MITRE ATT&CK with it. There is also a practical tutorial by Rodolpho Concurde on covert channel type of attacks, another
interesting Hack The Box walkthrough by Saifullah Dabir, and an article on recovering hacked credit and debit cards by
Jamal Uddin.

Loads of interesting stuff for everyone!

Without further ado,

Enjoy the reading!

PenTest Magazine’s Editorial Team

2
Contents
Debilitating Defense: Building an Android Malware
Staford Titus 4

Mobile Security Assessment Tools and Techniques

Sandeep Kumar Singh 24

Preventing an iOS Mobile Application from Being Debugged – The

Secure Way
Teo Kok Sang 39

Understanding and Overcoming Android Anti-Malware

Defences
William Tan 50

Intercepting HTTPS Traffic on Android Mobile Apps

Antonio Scibilia 61

How to Treat False Positive with Threat Hunting

Filipi Pires 70

ATTPwn: How to Create Your Own Implementation of a MITRE

ATT&CK Technique
Pablo Gonzalez Perez, Fran Ramirez 80

Covered Channel Technique Explained

Rodolpho Concurde 89

Cronos - Hack The Box Walkthrough

Sk Saifullah Dabir 95

Hacked Credit/Debit Card Recovery

Jamal Uddin 104
 How to Treat False Positive with Threat Hunting

How to Treat False Positive with Threat

Hunting
Filipi Pires

I've been working Principal Security Engineer at Zup Innovation and Global
Research Manager at Hacker Security, I have talked in Security events in
Germany, Poland, Hungary and Brazil, served as University Professor in
Undergraduate / MBA courses at colleges as FIAP / Mackenzie / UNIBTA
and UNICIV, in addition, I'm Founder and Instructor of the Course - Malware
Analysis - Fundamentals (HackerSec Company - Online Course -
Portuguese Language).

The purpose of this document is to conduct an investigation on Malops (Malware

Operations) that were recurring in our environment. The existence of the same
domain was observed, being accessed by many machines from different teams, on
different days, at different times. This report was based on one of the pillars for IOA
(Indicator of Attack) research, multiple alarm events from the many different hosts
for a single domain. We validated that the domain was really malicious and verified
that there were some APT underway in our environment, we performed a lot of
research and analysis was carried out regarding the appropriate behaviors. With the
final product, the front responsible for the product will have an instrument capable of
guiding a process of mitigation and/or correction, as well as optimized improvement,
based on the criticality of risks.

Scope

The conduction of this investigation had as a target the Domain = “(https://cookiesync.slyngshot.io/)”,

validating if this domain is malicious or not. The first piece of information provided by Cybereason is
represented in the Malops Incident (Cybereason Cloud Console malop | AAAA01y6vOZhchYQ) where we found
more than 40 machines communicating with this domain.

4
 How to Treat False Positive with Threat Hunting

Image 1.1: Malops Incident Detection

Project Summary

The execution of the investigation analysis of the Threat Hunting team was carried out through the analysis of
the log’s information provided by Malops Incident reports, and other research on the internet, to understand if
the domain is malicious or not, executing this domain in a controlled environment. This investigation occurred
during 1 day, starting on the 11th of August of the year 2020 and the elaboration this report on the 19th of
August of the same year.

Running the Investigation

• First Step

The first step in this investigation was to understand the malops report and your information. As we can see in
the malops information, the possible attack started in May and is still happening in August. Below we can see
49 machines in the scope. The communication looks to be both inbound and outbound and maybe can affect
up to 27 users inside the company.

5
 How to Treat False Positive with Threat Hunting

Image 1.2: Overview Malops incident

When we look at the malops report we can find other information, like 49 malicious processes and 16
suspicious connections. These processes can be many different malware being downloaded to the
environment. As we can see in the image below, we have many processes related to different extensions like
[.exe / chrome.exe / core.exe /msmpeng.exe and 17x unknown processes].

Image 1.3: Process information by Malops Report

6
 How to Treat False Positive with Threat Hunting

• Second Step

In this stage, we started to work with some hypotheses, however, for this to happen, we needed to understand
the “possible” timeline of this incident. Looking inside the Malops Report (in PDF), we can find the data that
might have started this incident.

On 14th May, the first execution started. After 14 days, on 1st Jun, it was triggered as a C&C Blocklisted
Domain, and the next day, it continued “infecting” many other machines in our environment. All these machines
would be accessing cookiesync.slyngshot.io, with the IP 23.239.15.172.

All these triggers are based on Cybereason Documentation:

Triggering item - The process that caused Cybereason to create a Malop. 


Detection type - Category of detection that recognized the malicious behavior. 

Root cause - The underlying reason why an activity is considered malicious.

(https://nest.cybereason.com/documentation/product-documentation/201/what-malop)

Image 1.4: Timeline of the Incident

7
 How to Treat False Positive with Threat Hunting

• Third Step

Based in this information, we started other research, looking for a tool that works as antivirus scanning, known
as VIRUS TOTAL.

We performed two tests running the URL “malicious” and the root domain and our tests; both of them are safe.

Image 1.5: Research VirusTotal Platform

We tried to access the domain in a controlled environment to see the behavior, however, the domain is
inaccessible with 404 Not Found error, which could be caused by many possibilities, like as: incorrect url,
incompatible extension, disable page or unstable server.

Image 1.6: Testing the domain

8
 How to Treat False Positive with Threat Hunting

Another perspective is to try to find any information in another kind of platform, or other databases, and to try
to find any reputation for this domain, I created a test in a Hybrid Analysis platform, that is a Sandbox in the
cloud, to execute many tests in URLs/Files/Hashes and so on. The result of this test is that this domain is safe
and the behavior was the same in our environment, as you can see in the prescreen below provided by Hybrid
Analysis Sandbox.

Image 1.7: Hybrid Analysis Sandbox

After this, I created another test in the APP.Any.Run platform, that is a Sandbox in the cloud, to execute many
tests in URLs/Files/Hashes and so on. The result of this test brought the same result, Safe Domain, and the
behavior was the same as our environment, as you can see in the prescreen below provided by app.any.run
Sandbox.

9
 How to Treat False Positive with Threat Hunting

Image 1.8: App.any.Run Sandbox

After that, we performed this analysis based in all the evidence. It is clear that this domain is safe. Another
important point is that, as Cybereason documentation explains:

“VirusTotal domain classification is also factored into certain threat calculations, but core decision-making is
based on the techniques described above.”

(https://nest.cybereason.com/knowledgebase/14192).

However in this incident, the “engine or mayba API” from VirusTotal was used.

Impact

At the end of this test, it was possible to verify that this domain or these alerts are totally safe, and this can be
many unnecessary alerts as you can see below:

• Many alerts with false positives in internal SOC (Customer Environment);

• Many customers could be impacted with a false positive, because they’re using the Global Threat Intelligence
database by Cybereason;

10
 How to Treat False Positive with Threat Hunting

• Many alerts with false positives in Cybereason SOC, because they respond to all Malops cases in the
customer environment.

Recommendation Actions

As we mentioned before, we wanted to conduct an investigation on Malops (Malware Operations) that were
recurring in our environment. At the end of this test, the following actions were taken to improve the assets of
the protection environment.

You can use some tips below used in the Threat Hunting Investigation to evaluate the IOA (Indicator of
Attack) analysis:

• Internal hosts with bad/suspicious destinations,

• Many internals hosts accessing the same domain/IP/URL,

• Recurrence of the same malware on different machines,

• Internal hosts with non-standard ports,

• Public Servers/DMZ to Internal hosts,

• Network scans by internal hosts,

• Multiple alarm events from a single host,

• The system is reinfected with malware,

• Multiple Login from different regions,

• Internal hosts use much SMTP,

• Internal hosts perform many queries to External/Internal DNS.

Open a support case with the manufacturer so they can try to solve this false positive.

Answers from Cybereason Company

As we mentioned before, we wanted to conduct an investigation on Malops that were recurring in our
environment. The existence of the same domain was observed, being accessed by many machines from
different teams, on different days, at different times. After our analysis, the following actions will be taken to
improve the protection environment of our assets:

This investigation was sent to Cybereason support by Support case number: #00091458 (https://
nest.cybereason.com/support/case/00091458)

11
 How to Treat False Positive with Threat Hunting

Our idea with this issue was to understand how the engine of detection works, how Global Threat Intelligence
by Cybereason classifies this information and the correlations.

Image 1.9: Support Case

We just received generic information from support:

“To establish some grounds: We use both EDR and NGAV. I know your environment is using our latest version
too so that includes a lot of different detection features.”

Image 1.10: Answer from Support

After that, our Customer Success sent me an email, requesting that I send an email to the AMS Team. After
sending the email to the AMS team, we received the good answer.

“Hello Filipi,

Upon investigation by our GSOC, this domain was found to be related to an advertisement tracking and
analytics platform. While such traffic may be unwanted by an organization, it is not indicative of malicious
activity.

After reviewing these findings with our Detections team, we have decided to whitelist the malicious
classification in Cybereason's threat intelligence platform.”

12
 How to Treat False Positive with Threat Hunting

Image 1.11: Answer from Support

13