Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Sergey Golovanov - Indecent Response 2018
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
DC7499
February 10, 2018
Education
580
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Sergey Golovanov - Indecent Response 2018
DC7499
February 10, 2018
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
580
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
310
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
320
Dmitry Volkov - Private messengers: without pain??
defcon
1
250
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
2
230
Sergey Belov - Another side of Bug Bounty programs
defcon
0
330
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
570
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
680
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
680
Other Decks in Education
See All in Education
Data Management and Analytics Specialisation
signer
PRO
0
1.8k
Curso de Consagração ao Sagrado Coração de Jesus - O Sagrado Coração na História (Aula 01)
cm_manaus
0
230
現場最前線から教えるデータサイエンス1 -ITベンダーにおけるデータサイエンティスト-
hidetoshikawaguchi
0
110
LinkedIn
matleenalaakso
0
4.4k
SL AMIGOS 教育格差と私たちの取り組み - スリランカの支援学校への支援プロジェクト:リシンドゥ リオ 氏 (別府溝部学園短期大学 ビジネス観光コース 留学生):2720 Japan O.K. ロータリーEクラブ2026年4月6日卓話
2720japanoke
0
630
2026年度春学期 統計学 第7回 データの関係を知る(2)ー 回帰と決定係数 (2026. 5. 21)
akiraasano
PRO
0
160
Πλουτοκρατία: Η Τυραννία του Μαμμωνά και η Μεταανθρώπινη Δουλεία
amethyst1
0
270
Padlet opetuksessa
matleenalaakso
12
16k
吉祥寺.pmは1つじゃない — 複数イベント並走運営の12年 —
magnolia
0
1.3k
Case Studies and Future Research - Lecture 12 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
180
Interaction - Lecture 10 - Information Visualisation (4019538FNR)
signer
PRO
0
2.7k
【セーフィー】テクニカルライティング&コミュニケーション実践講座(26新卒エンジニア向け研修資料)
ymzaki_m4
0
230
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
247
13k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
360
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
How to Think Like a Performance Engineer
csswizardry
28
2.7k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
250
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
190
Game over? The fight for quality and originality in the time of robots
wayneb77
1
200
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
KATA
mclloyd
PRO
35
15k
A Soul's Torment
seathinner
6
3k
Transcript
Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky
Lab
Challenge: find a SDC bus speed
None
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
1.Shadowpad
Case overview: 1.Antifraud system in a bank is detecting printing
of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…
DNS requests
None
None
“Our worldwide customers range from small businesses right up to
global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
https://securelist.com/shadowpad -in-corporate-networks/81432/
What was done?
AutoMA – static analysis framework
Shadowpad after autoMA
Miniduke after autoMA
2.0x403AA91EE
Case overview:
None
None
How to find suspicion DNS requests? sort | uniq -c
| sort -rn
How to find suspicion powershell? sort | uniq -c |
sort -rn
parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788
2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA
https://github.com/KasperskyLab/ForensicsTools/
3.Scanner2
Case overview: 1. No money 2. No logs 3. No
team 4. No idea about network 5. CISO!
What to do? we need logs we need mfts we
need regs
WE NEED TO RECOMPILE EVERYTHING!
Awesome batch file
How to find something suspicion ? sort | uniq -c
| sort -rn
https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip
4. PLANS
1. MFT is a hell. Sleuthkit is not enough. We
need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
Зачем?
None
Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab